BigQuery IAM roles and permissions

This document provides a list of Identity and Access Management (IAM) predefined roles and permissions for BigQuery. This page includes roles and permissions for the following:

BigQuery: Roles and permissions that apply to BigQuery resources such as datasets, tables, views, and routines. Many of these roles and permissions can also be granted to Resource Manager resources like projects, folders, and organizations.
BigQuery Connection API: Role that grants a service agent access to a Cloud SQL connection.
BigQuery Continuous Query: Role that grants a service account access to a continuous query.
BigQuery Data Policy: Roles and permissions that apply to Data Policies in BigQuery.
BigQuery Data Transfer Service: Role that grants a service agent access to create jobs that transfer data.
BigQuery Engine for Apache Flink: Roles and permissions that apply to BigQuery Engine for Apache Flink resources.
BigQuery Migration Service API: Roles and permissions that apply to BigQuery Migration Service resources.
BigQuery Omni: Role that grants a service agent access to tables.
BigQuery sharing: Roles and permissions that apply to BigQuery sharing resources.

BigQuery predefined IAM roles

The following tables list the predefined BigQuery IAM roles with a corresponding list of all the permissions each role includes. Note that each permission is applicable to a particular resource type.

BigQuery roles

This table lists the IAM roles and permissions for BigQuery. To search through all roles and permissions, see the role and permission index.

Role Permissions

Role	Permissions
BigQuery Admin (`roles/bigquery.admin`) Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project. Lowest-level resources where you can grant this role: Dataset These resources within a dataset: Table View Routine Connection Saved query Data canvas Pipeline Data preparation Repository This role can also be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.bireservations.` `bigquery.bireservations.get` `bigquery.bireservations.update` `bigquery.capacityCommitments.` `bigquery.capacityCommitments.create` `bigquery.capacityCommitments.delete` `bigquery.capacityCommitments.get` `bigquery.capacityCommitments.list` `bigquery.capacityCommitments.update` `bigquery.config.` `bigquery.config.get` `bigquery.config.update` `bigquery.connections.` `bigquery.connections.create` `bigquery.connections.delegate` `bigquery.connections.delete` `bigquery.connections.get` `bigquery.connections.getIamPolicy` `bigquery.connections.list` `bigquery.connections.setIamPolicy` `bigquery.connections.update` `bigquery.connections.updateTag` `bigquery.connections.use` `bigquery.dataPolicies.create` `bigquery.dataPolicies.delete` `bigquery.dataPolicies.get` `bigquery.dataPolicies.getIamPolicy` `bigquery.dataPolicies.list` `bigquery.dataPolicies.setIamPolicy` `bigquery.dataPolicies.update` `bigquery.datasets.` `bigquery.datasets.create` `bigquery.datasets.createTagBinding` `bigquery.datasets.delete` `bigquery.datasets.deleteTagBinding` `bigquery.datasets.get` `bigquery.datasets.getIamPolicy` `bigquery.datasets.link` `bigquery.datasets.listEffectiveTags` `bigquery.datasets.listSharedDatasetUsage` `bigquery.datasets.listTagBindings` `bigquery.datasets.setIamPolicy` `bigquery.datasets.update` `bigquery.datasets.updateTag` `bigquery.jobs.` `bigquery.jobs.create` `bigquery.jobs.delete` `bigquery.jobs.get` `bigquery.jobs.list` `bigquery.jobs.listAll` `bigquery.jobs.listExecutionMetadata` `bigquery.jobs.update` `bigquery.models.` `bigquery.models.create` `bigquery.models.delete` `bigquery.models.export` `bigquery.models.getData` `bigquery.models.getMetadata` `bigquery.models.list` `bigquery.models.updateData` `bigquery.models.updateMetadata` `bigquery.models.updateTag` `bigquery.objectRefs.` `bigquery.objectRefs.read` `bigquery.objectRefs.write` `bigquery.readsessions.` `bigquery.readsessions.create` `bigquery.readsessions.getData` `bigquery.readsessions.update` `bigquery.reservationAssignments.` `bigquery.reservationAssignments.create` `bigquery.reservationAssignments.delete` `bigquery.reservationAssignments.list` `bigquery.reservationAssignments.search` `bigquery.reservations.` `bigquery.reservations.create` `bigquery.reservations.delete` `bigquery.reservations.get` `bigquery.reservations.list` `bigquery.reservations.listFailoverDatasets` `bigquery.reservations.update` `bigquery.reservations.use` `bigquery.routines.` `bigquery.routines.create` `bigquery.routines.delete` `bigquery.routines.get` `bigquery.routines.list` `bigquery.routines.update` `bigquery.routines.updateTag` `bigquery.rowAccessPolicies.create` `bigquery.rowAccessPolicies.delete` `bigquery.rowAccessPolicies.get` `bigquery.rowAccessPolicies.getIamPolicy` `bigquery.rowAccessPolicies.list` `bigquery.rowAccessPolicies.overrideTimeTravelRestrictions` `bigquery.rowAccessPolicies.setIamPolicy` `bigquery.rowAccessPolicies.update` `bigquery.savedqueries.` `bigquery.savedqueries.create` `bigquery.savedqueries.delete` `bigquery.savedqueries.get` `bigquery.savedqueries.list` `bigquery.savedqueries.update` `bigquery.tables.` `bigquery.tables.create` `bigquery.tables.createIndex` `bigquery.tables.createSnapshot` `bigquery.tables.createTagBinding` `bigquery.tables.delete` `bigquery.tables.deleteIndex` `bigquery.tables.deleteSnapshot` `bigquery.tables.deleteTagBinding` `bigquery.tables.export` `bigquery.tables.get` `bigquery.tables.getData` `bigquery.tables.getIamPolicy` `bigquery.tables.list` `bigquery.tables.listEffectiveTags` `bigquery.tables.listTagBindings` `bigquery.tables.replicateData` `bigquery.tables.restoreSnapshot` `bigquery.tables.setCategory` `bigquery.tables.setColumnDataPolicy` `bigquery.tables.setIamPolicy` `bigquery.tables.update` `bigquery.tables.updateData` `bigquery.tables.updateIndex` `bigquery.tables.updateTag` `bigquery.transfers.` `bigquery.transfers.get` `bigquery.transfers.update` `bigquerymigration.translation.translate` `cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `dataform.` `dataform.commentThreads.create` `dataform.commentThreads.delete` `dataform.commentThreads.get` `dataform.commentThreads.list` `dataform.commentThreads.update` `dataform.comments.create` `dataform.comments.delete` `dataform.comments.get` `dataform.comments.list` `dataform.comments.update` `dataform.compilationResults.create` `dataform.compilationResults.get` `dataform.compilationResults.list` `dataform.compilationResults.query` `dataform.config.get` `dataform.config.update` `dataform.locations.get` `dataform.locations.list` `dataform.releaseConfigs.create` `dataform.releaseConfigs.delete` `dataform.releaseConfigs.get` `dataform.releaseConfigs.list` `dataform.releaseConfigs.update` `dataform.repositories.commit` `dataform.repositories.computeAccessTokenStatus` `dataform.repositories.create` `dataform.repositories.delete` `dataform.repositories.fetchHistory` `dataform.repositories.fetchRemoteBranches` `dataform.repositories.get` `dataform.repositories.getIamPolicy` `dataform.repositories.list` `dataform.repositories.queryDirectoryContents` `dataform.repositories.readFile` `dataform.repositories.setIamPolicy` `dataform.repositories.update` `dataform.workflowConfigs.create` `dataform.workflowConfigs.delete` `dataform.workflowConfigs.get` `dataform.workflowConfigs.list` `dataform.workflowConfigs.update` `dataform.workflowInvocations.cancel` `dataform.workflowInvocations.create` `dataform.workflowInvocations.delete` `dataform.workflowInvocations.get` `dataform.workflowInvocations.list` `dataform.workflowInvocations.query` `dataform.workspaces.commit` `dataform.workspaces.create` `dataform.workspaces.delete` `dataform.workspaces.fetchFileDiff` `dataform.workspaces.fetchFileGitStatuses` `dataform.workspaces.fetchGitAheadBehind` `dataform.workspaces.get` `dataform.workspaces.getIamPolicy` `dataform.workspaces.installNpmPackages` `dataform.workspaces.list` `dataform.workspaces.makeDirectory` `dataform.workspaces.moveDirectory` `dataform.workspaces.moveFile` `dataform.workspaces.pull` `dataform.workspaces.push` `dataform.workspaces.queryDirectoryContents` `dataform.workspaces.readFile` `dataform.workspaces.removeDirectory` `dataform.workspaces.removeFile` `dataform.workspaces.reset` `dataform.workspaces.searchFiles` `dataform.workspaces.setIamPolicy` `dataform.workspaces.writeFile` `dataplex.datascans.` `dataplex.datascans.create` `dataplex.datascans.delete` `dataplex.datascans.get` `dataplex.datascans.getData` `dataplex.datascans.getIamPolicy` `dataplex.datascans.list` `dataplex.datascans.run` `dataplex.datascans.setIamPolicy` `dataplex.datascans.update` `dataplex.operations.get` `dataplex.operations.list` `dataplex.projects.search` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Connection Admin (`roles/bigquery.connectionAdmin`) Lowest-level resources where you can grant this role: Connection This role can also be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.connections.*` `bigquery.connections.create` `bigquery.connections.delegate` `bigquery.connections.delete` `bigquery.connections.get` `bigquery.connections.getIamPolicy` `bigquery.connections.list` `bigquery.connections.setIamPolicy` `bigquery.connections.update` `bigquery.connections.updateTag` `bigquery.connections.use`
BigQuery Connection User (`roles/bigquery.connectionUser`) Lowest-level resources where you can grant this role: Connection This role can also be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.connections.get` `bigquery.connections.getIamPolicy` `bigquery.connections.list` `bigquery.connections.use`
BigQuery Data Editor (`roles/bigquery.dataEditor`) When granted on a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Delete the table or view. This role cannot be granted to individual models. When granted on a dataset, this role provides permissions to: Read the dataset's metadata and list tables in the dataset. Create, update, get, and delete the dataset's tables. The BigQuery Data Editor role is mapped to the `WRITER` BigQuery basic role. When you grant the BigQuery Data Editor role to a principal at the dataset level, the principal is granted `WRITER` access to the dataset. When applied at the project or organization level, this role also lets users create new datasets. Lowest-level resources where you can grant this role: Dataset These resources within a dataset: Table View Routine This role can also be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.config.get` `bigquery.datasets.create` `bigquery.datasets.get` `bigquery.datasets.getIamPolicy` `bigquery.datasets.updateTag` `bigquery.models.` `bigquery.models.create` `bigquery.models.delete` `bigquery.models.export` `bigquery.models.getData` `bigquery.models.getMetadata` `bigquery.models.list` `bigquery.models.updateData` `bigquery.models.updateMetadata` `bigquery.models.updateTag` `bigquery.routines.` `bigquery.routines.create` `bigquery.routines.delete` `bigquery.routines.get` `bigquery.routines.list` `bigquery.routines.update` `bigquery.routines.updateTag` `bigquery.tables.create` `bigquery.tables.createIndex` `bigquery.tables.createSnapshot` `bigquery.tables.delete` `bigquery.tables.deleteIndex` `bigquery.tables.export` `bigquery.tables.get` `bigquery.tables.getData` `bigquery.tables.getIamPolicy` `bigquery.tables.list` `bigquery.tables.replicateData` `bigquery.tables.restoreSnapshot` `bigquery.tables.update` `bigquery.tables.updateData` `bigquery.tables.updateIndex` `bigquery.tables.updateTag` `cloudkms.keyHandles.*` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `dataplex.datascans.create` `dataplex.datascans.delete` `dataplex.datascans.get` `dataplex.datascans.getData` `dataplex.datascans.getIamPolicy` `dataplex.datascans.list` `dataplex.datascans.run` `dataplex.datascans.update` `dataplex.operations.get` `dataplex.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Data Owner (`roles/bigquery.dataOwner`) When granted on a table or view, this role provides permissions to: Read and update data and metadata for the table or view. Share the table or view. Delete the table or view. This role cannot be granted to individual models. When granted on a dataset, this role provides permissions to: Read, update, and delete the dataset. Create, update, get, and delete the dataset's tables. The BigQuery Data Owner role is mapped to the `OWNER` BigQuery basic role. When you grant the BigQuery Data Owner role to a principal at the dataset level, the principal is granted `OWNER` access to the dataset. When applied at the project or organization level, this role can also create new datasets. Lowest-level resources where you can grant this role: Dataset These resources within a dataset: Table View Routine This role can also be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.config.get` `bigquery.dataPolicies.create` `bigquery.dataPolicies.delete` `bigquery.dataPolicies.get` `bigquery.dataPolicies.getIamPolicy` `bigquery.dataPolicies.list` `bigquery.dataPolicies.setIamPolicy` `bigquery.dataPolicies.update` `bigquery.datasets.` `bigquery.datasets.create` `bigquery.datasets.createTagBinding` `bigquery.datasets.delete` `bigquery.datasets.deleteTagBinding` `bigquery.datasets.get` `bigquery.datasets.getIamPolicy` `bigquery.datasets.link` `bigquery.datasets.listEffectiveTags` `bigquery.datasets.listSharedDatasetUsage` `bigquery.datasets.listTagBindings` `bigquery.datasets.setIamPolicy` `bigquery.datasets.update` `bigquery.datasets.updateTag` `bigquery.models.` `bigquery.models.create` `bigquery.models.delete` `bigquery.models.export` `bigquery.models.getData` `bigquery.models.getMetadata` `bigquery.models.list` `bigquery.models.updateData` `bigquery.models.updateMetadata` `bigquery.models.updateTag` `bigquery.routines.` `bigquery.routines.create` `bigquery.routines.delete` `bigquery.routines.get` `bigquery.routines.list` `bigquery.routines.update` `bigquery.routines.updateTag` `bigquery.rowAccessPolicies.create` `bigquery.rowAccessPolicies.delete` `bigquery.rowAccessPolicies.get` `bigquery.rowAccessPolicies.getIamPolicy` `bigquery.rowAccessPolicies.list` `bigquery.rowAccessPolicies.setIamPolicy` `bigquery.rowAccessPolicies.update` `bigquery.tables.` `bigquery.tables.create` `bigquery.tables.createIndex` `bigquery.tables.createSnapshot` `bigquery.tables.createTagBinding` `bigquery.tables.delete` `bigquery.tables.deleteIndex` `bigquery.tables.deleteSnapshot` `bigquery.tables.deleteTagBinding` `bigquery.tables.export` `bigquery.tables.get` `bigquery.tables.getData` `bigquery.tables.getIamPolicy` `bigquery.tables.list` `bigquery.tables.listEffectiveTags` `bigquery.tables.listTagBindings` `bigquery.tables.replicateData` `bigquery.tables.restoreSnapshot` `bigquery.tables.setCategory` `bigquery.tables.setColumnDataPolicy` `bigquery.tables.setIamPolicy` `bigquery.tables.update` `bigquery.tables.updateData` `bigquery.tables.updateIndex` `bigquery.tables.updateTag` `cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `dataplex.datascans.` `dataplex.datascans.create` `dataplex.datascans.delete` `dataplex.datascans.get` `dataplex.datascans.getData` `dataplex.datascans.getIamPolicy` `dataplex.datascans.list` `dataplex.datascans.run` `dataplex.datascans.setIamPolicy` `dataplex.datascans.update` `dataplex.operations.get` `dataplex.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Data Viewer (`roles/bigquery.dataViewer`) When granted on a table or view, this role provides permissions to: Read data and metadata from the table or view. This role cannot be granted to individual models. When granted on a dataset, this role provides permissions to list all of the resources in the dataset (such as tables, views, snapshots, models, and routines) and to read their data and metadata with applicable APIs and in queries. The BigQuery Data Viewer role is mapped to the `READER` BigQuery basic role. When you grant the BigQuery Data Viewer role to a principal at the dataset level, the principal is granted `READER` access to the dataset. When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs. Lowest-level resources where you can grant this role: Dataset These resources within a dataset: Table View Routine This role can also be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.datasets.get` `bigquery.datasets.getIamPolicy` `bigquery.models.export` `bigquery.models.getData` `bigquery.models.getMetadata` `bigquery.models.list` `bigquery.routines.get` `bigquery.routines.list` `bigquery.tables.createSnapshot` `bigquery.tables.export` `bigquery.tables.get` `bigquery.tables.getData` `bigquery.tables.getIamPolicy` `bigquery.tables.list` `bigquery.tables.replicateData` `dataplex.datascans.get` `dataplex.datascans.getData` `dataplex.datascans.getIamPolicy` `dataplex.datascans.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Filtered Data Viewer (`roles/bigquery.filteredDataViewer`) Access to view filtered table data defined by a row access policy. `bigquery.filteredDataViewer` is a system-managed role. Grant the role by using row-level access policies. Don't apply the role directly to a resource through Identity and Access Management (IAM).	`bigquery.rowAccessPolicies.getFilteredData`
BigQuery Job User (`roles/bigquery.jobUser`) Provides permissions to run jobs, including queries, within the project. This role can only be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.config.get` `bigquery.jobs.create` `dataform.locations.*` `dataform.locations.get` `dataform.locations.list` `dataform.repositories.create` `dataform.repositories.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Metadata Viewer (`roles/bigquery.metadataViewer`) When granted on a table or view, this role provides permissions to: Read metadata from the table or view. This role cannot be granted to individual models. When granted on a dataset, this role provides permissions to: List tables and views in the dataset. Read metadata from the dataset's tables and views. When applied at the project or organization level, this role provides permissions to: List all datasets and read metadata for all datasets in the project. List all tables and views and read metadata for all tables and views in the project. Additional roles are necessary to allow the running of jobs. Lowest-level resources where you can grant this role: Dataset These resources within a dataset: Table View Routine This role can also be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.datasets.get` `bigquery.datasets.getIamPolicy` `bigquery.models.getMetadata` `bigquery.models.list` `bigquery.routines.get` `bigquery.routines.list` `bigquery.tables.get` `bigquery.tables.getIamPolicy` `bigquery.tables.list` `dataplex.projects.search` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery ObjectRef Admin (`roles/bigquery.objectRefAdmin`) Administer ObjectRef resources that includes read and write permissions Lowest-level resources where you can grant this role: Connection This role can also be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.objectRefs.*` `bigquery.objectRefs.read` `bigquery.objectRefs.write`
BigQuery ObjectRef Reader (`roles/bigquery.objectRefReader`) Role for reading referenced objects via ObjectRefs in BigQuery Lowest-level resources where you can grant this role: Connection This role can also be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.objectRefs.read`
BigQuery Read Session User (`roles/bigquery.readSessionUser`) Provides the ability to create and use read sessions. This role can only be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.readsessions.*` `bigquery.readsessions.create` `bigquery.readsessions.getData` `bigquery.readsessions.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) Administers BigQuery workloads, including slot assignments, commitments, and reservations. This role can only be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.bireservations.` `bigquery.bireservations.get` `bigquery.bireservations.update` `bigquery.capacityCommitments.` `bigquery.capacityCommitments.create` `bigquery.capacityCommitments.delete` `bigquery.capacityCommitments.get` `bigquery.capacityCommitments.list` `bigquery.capacityCommitments.update` `bigquery.jobs.get` `bigquery.jobs.list` `bigquery.jobs.listAll` `bigquery.jobs.listExecutionMetadata` `bigquery.reservationAssignments.` `bigquery.reservationAssignments.create` `bigquery.reservationAssignments.delete` `bigquery.reservationAssignments.list` `bigquery.reservationAssignments.search` `bigquery.reservations.` `bigquery.reservations.create` `bigquery.reservations.delete` `bigquery.reservations.get` `bigquery.reservations.list` `bigquery.reservations.listFailoverDatasets` `bigquery.reservations.update` `bigquery.reservations.use` `recommender.bigqueryCapacityCommitmentsInsights.` `recommender.bigqueryCapacityCommitmentsInsights.get` `recommender.bigqueryCapacityCommitmentsInsights.list` `recommender.bigqueryCapacityCommitmentsInsights.update` `recommender.bigqueryCapacityCommitmentsRecommendations.` `recommender.bigqueryCapacityCommitmentsRecommendations.get` `recommender.bigqueryCapacityCommitmentsRecommendations.list` `recommender.bigqueryCapacityCommitmentsRecommendations.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Resource Editor (`roles/bigquery.resourceEditor`) Manages BigQuery workloads, but is unable to create or modify slot commitments. This role can only be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.bireservations.get` `bigquery.capacityCommitments.get` `bigquery.capacityCommitments.list` `bigquery.jobs.get` `bigquery.jobs.list` `bigquery.jobs.listAll` `bigquery.jobs.listExecutionMetadata` `bigquery.reservationAssignments.` `bigquery.reservationAssignments.create` `bigquery.reservationAssignments.delete` `bigquery.reservationAssignments.list` `bigquery.reservationAssignments.search` `bigquery.reservations.` `bigquery.reservations.create` `bigquery.reservations.delete` `bigquery.reservations.get` `bigquery.reservations.list` `bigquery.reservations.listFailoverDatasets` `bigquery.reservations.update` `bigquery.reservations.use` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) Can view BigQuery workloads, but cannot create or modify slot reservations or commitments. This role can only be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.bireservations.get` `bigquery.capacityCommitments.get` `bigquery.capacityCommitments.list` `bigquery.jobs.get` `bigquery.jobs.list` `bigquery.jobs.listAll` `bigquery.jobs.listExecutionMetadata` `bigquery.reservationAssignments.list` `bigquery.reservationAssignments.search` `bigquery.reservations.get` `bigquery.reservations.list` `bigquery.reservations.listFailoverDatasets` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Security Admin ^Beta (`roles/bigquery.securityAdmin`) Administer all BigQuery security controls	`bigquery.dataPolicies.create` `bigquery.dataPolicies.delete` `bigquery.dataPolicies.get` `bigquery.dataPolicies.getIamPolicy` `bigquery.dataPolicies.list` `bigquery.dataPolicies.setIamPolicy` `bigquery.dataPolicies.update` `bigquery.datasets.createTagBinding` `bigquery.datasets.deleteTagBinding` `bigquery.datasets.get` `bigquery.datasets.getIamPolicy` `bigquery.datasets.listEffectiveTags` `bigquery.datasets.listSharedDatasetUsage` `bigquery.datasets.listTagBindings` `bigquery.datasets.setIamPolicy` `bigquery.datasets.update` `bigquery.datasets.updateTag` `bigquery.rowAccessPolicies.create` `bigquery.rowAccessPolicies.delete` `bigquery.rowAccessPolicies.get` `bigquery.rowAccessPolicies.getIamPolicy` `bigquery.rowAccessPolicies.list` `bigquery.rowAccessPolicies.setIamPolicy` `bigquery.rowAccessPolicies.update` `bigquery.tables.createTagBinding` `bigquery.tables.deleteTagBinding` `bigquery.tables.get` `bigquery.tables.getIamPolicy` `bigquery.tables.list` `bigquery.tables.listEffectiveTags` `bigquery.tables.listTagBindings` `bigquery.tables.setColumnDataPolicy` `bigquery.tables.setIamPolicy` `bigquery.tables.update` `bigquery.tables.updateTag` `dataplex.projects.search`
BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Combination role of BigQuery Admin, Dataform Admin, Notebook Runtime Admin and Dataproc Serverless Editor. Lowest-level resources where you can grant this role: Dataset These resources within a dataset: Table View Routine Connection Saved query Data canvas Data preparation Pipeline Repository This role can also be granted on Resource Manager resources (projects, folders, and organizations).	`aiplatform.notebookRuntimeTemplates.` `aiplatform.notebookRuntimeTemplates.apply` `aiplatform.notebookRuntimeTemplates.create` `aiplatform.notebookRuntimeTemplates.delete` `aiplatform.notebookRuntimeTemplates.get` `aiplatform.notebookRuntimeTemplates.getIamPolicy` `aiplatform.notebookRuntimeTemplates.list` `aiplatform.notebookRuntimeTemplates.setIamPolicy` `aiplatform.notebookRuntimeTemplates.update` `aiplatform.notebookRuntimes.` `aiplatform.notebookRuntimes.assign` `aiplatform.notebookRuntimes.delete` `aiplatform.notebookRuntimes.get` `aiplatform.notebookRuntimes.list` `aiplatform.notebookRuntimes.start` `aiplatform.notebookRuntimes.update` `aiplatform.notebookRuntimes.upgrade` `aiplatform.operations.list` `bigquery.bireservations.` `bigquery.bireservations.get` `bigquery.bireservations.update` `bigquery.capacityCommitments.` `bigquery.capacityCommitments.create` `bigquery.capacityCommitments.delete` `bigquery.capacityCommitments.get` `bigquery.capacityCommitments.list` `bigquery.capacityCommitments.update` `bigquery.config.` `bigquery.config.get` `bigquery.config.update` `bigquery.connections.` `bigquery.connections.create` `bigquery.connections.delegate` `bigquery.connections.delete` `bigquery.connections.get` `bigquery.connections.getIamPolicy` `bigquery.connections.list` `bigquery.connections.setIamPolicy` `bigquery.connections.update` `bigquery.connections.updateTag` `bigquery.connections.use` `bigquery.dataPolicies.create` `bigquery.dataPolicies.delete` `bigquery.dataPolicies.get` `bigquery.dataPolicies.getIamPolicy` `bigquery.dataPolicies.list` `bigquery.dataPolicies.setIamPolicy` `bigquery.dataPolicies.update` `bigquery.datasets.` `bigquery.datasets.create` `bigquery.datasets.createTagBinding` `bigquery.datasets.delete` `bigquery.datasets.deleteTagBinding` `bigquery.datasets.get` `bigquery.datasets.getIamPolicy` `bigquery.datasets.link` `bigquery.datasets.listEffectiveTags` `bigquery.datasets.listSharedDatasetUsage` `bigquery.datasets.listTagBindings` `bigquery.datasets.setIamPolicy` `bigquery.datasets.update` `bigquery.datasets.updateTag` `bigquery.jobs.` `bigquery.jobs.create` `bigquery.jobs.delete` `bigquery.jobs.get` `bigquery.jobs.list` `bigquery.jobs.listAll` `bigquery.jobs.listExecutionMetadata` `bigquery.jobs.update` `bigquery.models.` `bigquery.models.create` `bigquery.models.delete` `bigquery.models.export` `bigquery.models.getData` `bigquery.models.getMetadata` `bigquery.models.list` `bigquery.models.updateData` `bigquery.models.updateMetadata` `bigquery.models.updateTag` `bigquery.objectRefs.` `bigquery.objectRefs.read` `bigquery.objectRefs.write` `bigquery.readsessions.` `bigquery.readsessions.create` `bigquery.readsessions.getData` `bigquery.readsessions.update` `bigquery.reservationAssignments.` `bigquery.reservationAssignments.create` `bigquery.reservationAssignments.delete` `bigquery.reservationAssignments.list` `bigquery.reservationAssignments.search` `bigquery.reservations.` `bigquery.reservations.create` `bigquery.reservations.delete` `bigquery.reservations.get` `bigquery.reservations.list` `bigquery.reservations.listFailoverDatasets` `bigquery.reservations.update` `bigquery.reservations.use` `bigquery.routines.` `bigquery.routines.create` `bigquery.routines.delete` `bigquery.routines.get` `bigquery.routines.list` `bigquery.routines.update` `bigquery.routines.updateTag` `bigquery.rowAccessPolicies.create` `bigquery.rowAccessPolicies.delete` `bigquery.rowAccessPolicies.get` `bigquery.rowAccessPolicies.getIamPolicy` `bigquery.rowAccessPolicies.list` `bigquery.rowAccessPolicies.overrideTimeTravelRestrictions` `bigquery.rowAccessPolicies.setIamPolicy` `bigquery.rowAccessPolicies.update` `bigquery.savedqueries.` `bigquery.savedqueries.create` `bigquery.savedqueries.delete` `bigquery.savedqueries.get` `bigquery.savedqueries.list` `bigquery.savedqueries.update` `bigquery.tables.` `bigquery.tables.create` `bigquery.tables.createIndex` `bigquery.tables.createSnapshot` `bigquery.tables.createTagBinding` `bigquery.tables.delete` `bigquery.tables.deleteIndex` `bigquery.tables.deleteSnapshot` `bigquery.tables.deleteTagBinding` `bigquery.tables.export` `bigquery.tables.get` `bigquery.tables.getData` `bigquery.tables.getIamPolicy` `bigquery.tables.list` `bigquery.tables.listEffectiveTags` `bigquery.tables.listTagBindings` `bigquery.tables.replicateData` `bigquery.tables.restoreSnapshot` `bigquery.tables.setCategory` `bigquery.tables.setColumnDataPolicy` `bigquery.tables.setIamPolicy` `bigquery.tables.update` `bigquery.tables.updateData` `bigquery.tables.updateIndex` `bigquery.tables.updateTag` `bigquery.transfers.` `bigquery.transfers.get` `bigquery.transfers.update` `bigquerymigration.translation.translate` `cloudaicompanion.codeToolsSettings.` `cloudaicompanion.codeToolsSettings.create` `cloudaicompanion.codeToolsSettings.delete` `cloudaicompanion.codeToolsSettings.get` `cloudaicompanion.codeToolsSettings.list` `cloudaicompanion.codeToolsSettings.update` `cloudaicompanion.companions.` `cloudaicompanion.companions.generateChat` `cloudaicompanion.companions.generateCode` `cloudaicompanion.dataSharingWithGoogleSettings.` `cloudaicompanion.dataSharingWithGoogleSettings.create` `cloudaicompanion.dataSharingWithGoogleSettings.delete` `cloudaicompanion.dataSharingWithGoogleSettings.get` `cloudaicompanion.dataSharingWithGoogleSettings.list` `cloudaicompanion.dataSharingWithGoogleSettings.update` `cloudaicompanion.entitlements.get` `cloudaicompanion.geminiGcpEnablementSettings.` `cloudaicompanion.geminiGcpEnablementSettings.create` `cloudaicompanion.geminiGcpEnablementSettings.delete` `cloudaicompanion.geminiGcpEnablementSettings.get` `cloudaicompanion.geminiGcpEnablementSettings.list` `cloudaicompanion.geminiGcpEnablementSettings.update` `cloudaicompanion.instances.` `cloudaicompanion.instances.completeCode` `cloudaicompanion.instances.completeTask` `cloudaicompanion.instances.exportMetrics` `cloudaicompanion.instances.generateCode` `cloudaicompanion.instances.generateText` `cloudaicompanion.instances.queryEffectiveSetting` `cloudaicompanion.instances.queryEffectiveSettingBindings` `cloudaicompanion.licenses.selfAssign` `cloudaicompanion.loggingSettings.` `cloudaicompanion.loggingSettings.create` `cloudaicompanion.loggingSettings.delete` `cloudaicompanion.loggingSettings.get` `cloudaicompanion.loggingSettings.list` `cloudaicompanion.loggingSettings.update` `cloudaicompanion.operations.get` `cloudaicompanion.releaseChannelSettings.` `cloudaicompanion.releaseChannelSettings.create` `cloudaicompanion.releaseChannelSettings.delete` `cloudaicompanion.releaseChannelSettings.get` `cloudaicompanion.releaseChannelSettings.list` `cloudaicompanion.releaseChannelSettings.update` `cloudaicompanion.settingBindings.` `cloudaicompanion.settingBindings.codeToolsSettingsCreate` `cloudaicompanion.settingBindings.codeToolsSettingsDelete` `cloudaicompanion.settingBindings.codeToolsSettingsGet` `cloudaicompanion.settingBindings.codeToolsSettingsList` `cloudaicompanion.settingBindings.codeToolsSettingsUpdate` `cloudaicompanion.settingBindings.codeToolsSettingsUse` `cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsCreate` `cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsDelete` `cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsGet` `cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsList` `cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsUpdate` `cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsUse` `cloudaicompanion.settingBindings.geminiGcpEnablementSettingsCreate` `cloudaicompanion.settingBindings.geminiGcpEnablementSettingsDelete` `cloudaicompanion.settingBindings.geminiGcpEnablementSettingsGet` `cloudaicompanion.settingBindings.geminiGcpEnablementSettingsList` `cloudaicompanion.settingBindings.geminiGcpEnablementSettingsUpdate` `cloudaicompanion.settingBindings.geminiGcpEnablementSettingsUse` `cloudaicompanion.settingBindings.loggingSettingsCreate` `cloudaicompanion.settingBindings.loggingSettingsDelete` `cloudaicompanion.settingBindings.loggingSettingsGet` `cloudaicompanion.settingBindings.loggingSettingsList` `cloudaicompanion.settingBindings.loggingSettingsUpdate` `cloudaicompanion.settingBindings.loggingSettingsUse` `cloudaicompanion.settingBindings.releaseChannelSettingsCreate` `cloudaicompanion.settingBindings.releaseChannelSettingsDelete` `cloudaicompanion.settingBindings.releaseChannelSettingsGet` `cloudaicompanion.settingBindings.releaseChannelSettingsList` `cloudaicompanion.settingBindings.releaseChannelSettingsUpdate` `cloudaicompanion.settingBindings.releaseChannelSettingsUse` `cloudaicompanion.topics.create` `cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.reservations.get` `compute.reservations.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataform.` `dataform.commentThreads.create` `dataform.commentThreads.delete` `dataform.commentThreads.get` `dataform.commentThreads.list` `dataform.commentThreads.update` `dataform.comments.create` `dataform.comments.delete` `dataform.comments.get` `dataform.comments.list` `dataform.comments.update` `dataform.compilationResults.create` `dataform.compilationResults.get` `dataform.compilationResults.list` `dataform.compilationResults.query` `dataform.config.get` `dataform.config.update` `dataform.locations.get` `dataform.locations.list` `dataform.releaseConfigs.create` `dataform.releaseConfigs.delete` `dataform.releaseConfigs.get` `dataform.releaseConfigs.list` `dataform.releaseConfigs.update` `dataform.repositories.commit` `dataform.repositories.computeAccessTokenStatus` `dataform.repositories.create` `dataform.repositories.delete` `dataform.repositories.fetchHistory` `dataform.repositories.fetchRemoteBranches` `dataform.repositories.get` `dataform.repositories.getIamPolicy` `dataform.repositories.list` `dataform.repositories.queryDirectoryContents` `dataform.repositories.readFile` `dataform.repositories.setIamPolicy` `dataform.repositories.update` `dataform.workflowConfigs.create` `dataform.workflowConfigs.delete` `dataform.workflowConfigs.get` `dataform.workflowConfigs.list` `dataform.workflowConfigs.update` `dataform.workflowInvocations.cancel` `dataform.workflowInvocations.create` `dataform.workflowInvocations.delete` `dataform.workflowInvocations.get` `dataform.workflowInvocations.list` `dataform.workflowInvocations.query` `dataform.workspaces.commit` `dataform.workspaces.create` `dataform.workspaces.delete` `dataform.workspaces.fetchFileDiff` `dataform.workspaces.fetchFileGitStatuses` `dataform.workspaces.fetchGitAheadBehind` `dataform.workspaces.get` `dataform.workspaces.getIamPolicy` `dataform.workspaces.installNpmPackages` `dataform.workspaces.list` `dataform.workspaces.makeDirectory` `dataform.workspaces.moveDirectory` `dataform.workspaces.moveFile` `dataform.workspaces.pull` `dataform.workspaces.push` `dataform.workspaces.queryDirectoryContents` `dataform.workspaces.readFile` `dataform.workspaces.removeDirectory` `dataform.workspaces.removeFile` `dataform.workspaces.reset` `dataform.workspaces.searchFiles` `dataform.workspaces.setIamPolicy` `dataform.workspaces.writeFile` `dataplex.datascans.` `dataplex.datascans.create` `dataplex.datascans.delete` `dataplex.datascans.get` `dataplex.datascans.getData` `dataplex.datascans.getIamPolicy` `dataplex.datascans.list` `dataplex.datascans.run` `dataplex.datascans.setIamPolicy` `dataplex.datascans.update` `dataplex.operations.get` `dataplex.operations.list` `dataplex.projects.search` `dataproc.batches.` `dataproc.batches.analyze` `dataproc.batches.cancel` `dataproc.batches.create` `dataproc.batches.delete` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.batches.sparkApplicationWrite` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.list` `dataproc.sessionTemplates.` `dataproc.sessionTemplates.create` `dataproc.sessionTemplates.delete` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessionTemplates.update` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.update` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.*` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery Studio User (`roles/bigquery.studioUser`) Combination role of BigQuery Job User, BigQuery Read Session User, Dataform Code Creator, Notebook Runtime User and Dataproc Serverless Editor. Lowest-level resources where you can grant this role: Saved query Data canvas Data preparation Pipeline Repository This role can also be granted on Resource Manager resources (projects, folders, and organizations).	`aiplatform.notebookRuntimeTemplates.apply` `aiplatform.notebookRuntimeTemplates.get` `aiplatform.notebookRuntimeTemplates.getIamPolicy` `aiplatform.notebookRuntimeTemplates.list` `aiplatform.notebookRuntimes.assign` `aiplatform.notebookRuntimes.get` `aiplatform.notebookRuntimes.list` `aiplatform.operations.list` `bigquery.config.get` `bigquery.jobs.create` `bigquery.readsessions.` `bigquery.readsessions.create` `bigquery.readsessions.getData` `bigquery.readsessions.update` `cloudaicompanion.companions.` `cloudaicompanion.companions.generateChat` `cloudaicompanion.companions.generateCode` `cloudaicompanion.entitlements.get` `cloudaicompanion.instances.` `cloudaicompanion.instances.completeCode` `cloudaicompanion.instances.completeTask` `cloudaicompanion.instances.exportMetrics` `cloudaicompanion.instances.generateCode` `cloudaicompanion.instances.generateText` `cloudaicompanion.instances.queryEffectiveSetting` `cloudaicompanion.instances.queryEffectiveSettingBindings` `cloudaicompanion.licenses.selfAssign` `cloudaicompanion.operations.get` `cloudaicompanion.topics.create` `compute.projects.get` `compute.regions.` `compute.regions.get` `compute.regions.list` `compute.zones.` `compute.zones.get` `compute.zones.list` `dataform.commentThreads.get` `dataform.commentThreads.list` `dataform.comments.get` `dataform.comments.list` `dataform.locations.` `dataform.locations.get` `dataform.locations.list` `dataform.repositories.create` `dataform.repositories.list` `dataplex.projects.search` `dataproc.batches.` `dataproc.batches.analyze` `dataproc.batches.cancel` `dataproc.batches.create` `dataproc.batches.delete` `dataproc.batches.get` `dataproc.batches.list` `dataproc.batches.sparkApplicationRead` `dataproc.batches.sparkApplicationWrite` `dataproc.operations.cancel` `dataproc.operations.delete` `dataproc.operations.get` `dataproc.operations.list` `dataproc.sessionTemplates.` `dataproc.sessionTemplates.create` `dataproc.sessionTemplates.delete` `dataproc.sessionTemplates.get` `dataproc.sessionTemplates.list` `dataproc.sessionTemplates.update` `dataproc.sessions.` `dataproc.sessions.create` `dataproc.sessions.delete` `dataproc.sessions.get` `dataproc.sessions.list` `dataproc.sessions.sparkApplicationRead` `dataproc.sessions.sparkApplicationWrite` `dataproc.sessions.terminate` `dataprocrm.nodePools.` `dataprocrm.nodePools.create` `dataprocrm.nodePools.delete` `dataprocrm.nodePools.deleteNodes` `dataprocrm.nodePools.get` `dataprocrm.nodePools.list` `dataprocrm.nodePools.resize` `dataprocrm.nodes.get` `dataprocrm.nodes.heartbeat` `dataprocrm.nodes.list` `dataprocrm.nodes.update` `dataprocrm.operations.get` `dataprocrm.operations.list` `dataprocrm.workloads.*` `dataprocrm.workloads.cancel` `dataprocrm.workloads.create` `dataprocrm.workloads.delete` `dataprocrm.workloads.get` `dataprocrm.workloads.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
BigQuery User (`roles/bigquery.user`) When granted on a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset. When granted on a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (`roles/bigquery.dataOwner`) on these new datasets. Lowest-level resources where you can grant this role: Dataset These resources within a dataset: Routine This role can also be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.bireservations.get` `bigquery.capacityCommitments.get` `bigquery.capacityCommitments.list` `bigquery.config.get` `bigquery.datasets.create` `bigquery.datasets.get` `bigquery.datasets.getIamPolicy` `bigquery.jobs.create` `bigquery.jobs.list` `bigquery.models.list` `bigquery.readsessions.` `bigquery.readsessions.create` `bigquery.readsessions.getData` `bigquery.readsessions.update` `bigquery.reservationAssignments.list` `bigquery.reservationAssignments.search` `bigquery.reservations.get` `bigquery.reservations.list` `bigquery.reservations.listFailoverDatasets` `bigquery.reservations.use` `bigquery.routines.list` `bigquery.savedqueries.get` `bigquery.savedqueries.list` `bigquery.tables.list` `bigquery.transfers.get` `bigquerymigration.translation.translate` `cloudkms.keyHandles.` `cloudkms.keyHandles.create` `cloudkms.keyHandles.get` `cloudkms.keyHandles.list` `cloudkms.operations.get` `cloudkms.projects.showEffectiveAutokeyConfig` `dataform.locations.*` `dataform.locations.get` `dataform.locations.list` `dataform.repositories.create` `dataform.repositories.list` `dataplex.projects.search` `resourcemanager.projects.get` `resourcemanager.projects.list`

BigQuery Admin

(roles/bigquery.admin)

Provides permissions to manage all resources within the project. Can manage all data within the project, and can cancel jobs from other users running within the project.

Lowest-level resources where you can grant this role:

Dataset
These resources within a dataset:

Table
View
Routine

Connection
Saved query
Data canvas
Pipeline
Data preparation
Repository

This role can also be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.bireservations.*

bigquery.bireservations.get
bigquery.bireservations.update

bigquery.capacityCommitments.*

bigquery.capacityCommitments.create
bigquery.capacityCommitments.delete
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.capacityCommitments.update

bigquery.config.*

bigquery.config.get
bigquery.config.update

bigquery.connections.*

bigquery.connections.create
bigquery.connections.delegate
bigquery.connections.delete
bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.setIamPolicy
bigquery.connections.update
bigquery.connections.updateTag
bigquery.connections.use

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.datasets.create
bigquery.datasets.createTagBinding
bigquery.datasets.delete
bigquery.datasets.deleteTagBinding
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.link
bigquery.datasets.listEffectiveTags
bigquery.datasets.listSharedDatasetUsage
bigquery.datasets.listTagBindings
bigquery.datasets.setIamPolicy
bigquery.datasets.update
bigquery.datasets.updateTag

bigquery.jobs.*

bigquery.jobs.create
bigquery.jobs.delete
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.jobs.update

bigquery.models.*

bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.models.updateTag

bigquery.objectRefs.*

bigquery.objectRefs.read
bigquery.objectRefs.write

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

bigquery.reservationAssignments.*

bigquery.reservationAssignments.create
bigquery.reservationAssignments.delete
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search

bigquery.reservations.*

bigquery.reservations.create
bigquery.reservations.delete
bigquery.reservations.get
bigquery.reservations.list
bigquery.reservations.listFailoverDatasets
bigquery.reservations.update
bigquery.reservations.use

bigquery.routines.*

bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.routines.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.get

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.savedqueries.*

bigquery.savedqueries.create
bigquery.savedqueries.delete
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.savedqueries.update

bigquery.tables.*

bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.createTagBinding
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.deleteSnapshot
bigquery.tables.deleteTagBinding
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.listEffectiveTags
bigquery.tables.listTagBindings
bigquery.tables.replicateData
bigquery.tables.restoreSnapshot
bigquery.tables.setCategory
bigquery.tables.setColumnDataPolicy
bigquery.tables.setIamPolicy
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateIndex
bigquery.tables.updateTag

bigquery.transfers.*

bigquery.transfers.get
bigquery.transfers.update

bigquerymigration.translation.translate

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

dataform.*

dataform.commentThreads.create
dataform.commentThreads.delete
dataform.commentThreads.get
dataform.commentThreads.list
dataform.commentThreads.update
dataform.comments.create
dataform.comments.delete
dataform.comments.get
dataform.comments.list
dataform.comments.update
dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.config.get
dataform.config.update
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.searchFiles
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

dataplex.datascans.*

dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getData
dataplex.datascans.getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.setIamPolicy
dataplex.datascans.update

dataplex.operations.get

dataplex.operations.list

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Connection Admin

(roles/bigquery.connectionAdmin)

Lowest-level resources where you can grant this role:

Connection

This role can also be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.connections.*

bigquery.connections.create
bigquery.connections.delegate
bigquery.connections.delete
bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.setIamPolicy
bigquery.connections.update
bigquery.connections.updateTag
bigquery.connections.use

BigQuery Connection User

(roles/bigquery.connectionUser)

Lowest-level resources where you can grant this role:

Connection

This role can also be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.connections.get

bigquery.connections.getIamPolicy

bigquery.connections.list

bigquery.connections.use

BigQuery Data Editor

(roles/bigquery.dataEditor)

When granted on a table or view, this role provides permissions to:

Read and update data and metadata for the table or view.
Delete the table or view.

This role cannot be granted to individual models.

When granted on a dataset, this role provides permissions to:

Read the dataset's metadata and list tables in the dataset.
Create, update, get, and delete the dataset's tables.

The BigQuery Data Editor role is mapped to the WRITER BigQuery basic role. When you grant the BigQuery Data Editor role to a principal at the dataset level, the principal is granted WRITER access to the dataset.

When applied at the project or organization level, this role also lets users create new datasets.

Lowest-level resources where you can grant this role:

Dataset
These resources within a dataset:

Table
View
Routine

This role can also be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.updateTag

bigquery.models.*

bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.models.updateTag

bigquery.routines.*

bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.routines.updateTag

bigquery.tables.create

bigquery.tables.createIndex

bigquery.tables.createSnapshot

bigquery.tables.delete

bigquery.tables.deleteIndex

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.replicateData

bigquery.tables.restoreSnapshot

bigquery.tables.update

bigquery.tables.updateData

bigquery.tables.updateIndex

bigquery.tables.updateTag

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

dataplex.datascans.create

dataplex.datascans.delete

dataplex.datascans.get

dataplex.datascans.getData

dataplex.datascans.getIamPolicy

dataplex.datascans.list

dataplex.datascans.run

dataplex.datascans.update

dataplex.operations.get

dataplex.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Data Owner

(roles/bigquery.dataOwner)

When granted on a table or view, this role provides permissions to:

Read and update data and metadata for the table or view.
Share the table or view.
Delete the table or view.

This role cannot be granted to individual models.

When granted on a dataset, this role provides permissions to:

Read, update, and delete the dataset.
Create, update, get, and delete the dataset's tables.

The BigQuery Data Owner role is mapped to the OWNER BigQuery basic role. When you grant the BigQuery Data Owner role to a principal at the dataset level, the principal is granted OWNER access to the dataset.

When applied at the project or organization level, this role can also create new datasets.

Lowest-level resources where you can grant this role:

Dataset
These resources within a dataset:

Table
View
Routine

This role can also be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.config.get

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.datasets.create
bigquery.datasets.createTagBinding
bigquery.datasets.delete
bigquery.datasets.deleteTagBinding
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.link
bigquery.datasets.listEffectiveTags
bigquery.datasets.listSharedDatasetUsage
bigquery.datasets.listTagBindings
bigquery.datasets.setIamPolicy
bigquery.datasets.update
bigquery.datasets.updateTag

bigquery.models.*

bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.models.updateTag

bigquery.routines.*

bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.routines.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.get

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.tables.*

bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.createTagBinding
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.deleteSnapshot
bigquery.tables.deleteTagBinding
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.listEffectiveTags
bigquery.tables.listTagBindings
bigquery.tables.replicateData
bigquery.tables.restoreSnapshot
bigquery.tables.setCategory
bigquery.tables.setColumnDataPolicy
bigquery.tables.setIamPolicy
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateIndex
bigquery.tables.updateTag

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

dataplex.datascans.*

dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getData
dataplex.datascans.getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.setIamPolicy
dataplex.datascans.update

dataplex.operations.get

dataplex.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Data Viewer

(roles/bigquery.dataViewer)

When granted on a table or view, this role provides permissions to:

Read data and metadata from the table or view.

This role cannot be granted to individual models.

When granted on a dataset, this role provides permissions to list all of the resources in the dataset (such as tables, views, snapshots, models, and routines) and to read their data and metadata with applicable APIs and in queries.

The BigQuery Data Viewer role is mapped to the READER BigQuery basic role. When you grant the BigQuery Data Viewer role to a principal at the dataset level, the principal is granted READER access to the dataset.

When applied at the project or organization level, this role can also enumerate all datasets in the project. Additional roles, however, are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

Dataset
These resources within a dataset:

Table
View
Routine

This role can also be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.models.export

bigquery.models.getData

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.createSnapshot

bigquery.tables.export

bigquery.tables.get

bigquery.tables.getData

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.replicateData

dataplex.datascans.get

dataplex.datascans.getData

dataplex.datascans.getIamPolicy

dataplex.datascans.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Filtered Data Viewer

(roles/bigquery.filteredDataViewer)

Access to view filtered table data defined by a row access policy. bigquery.filteredDataViewer is a system-managed role. Grant the role by using row-level access policies. Don't apply the role directly to a resource through Identity and Access Management (IAM).

bigquery.rowAccessPolicies.getFilteredData

BigQuery Job User

(roles/bigquery.jobUser)

Provides permissions to run jobs, including queries, within the project.

This role can only be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.config.get

bigquery.jobs.create

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.repositories.create

dataform.repositories.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Metadata Viewer

(roles/bigquery.metadataViewer)

When granted on a table or view, this role provides permissions to:

Read metadata from the table or view.

This role cannot be granted to individual models.

When granted on a dataset, this role provides permissions to:

List tables and views in the dataset.
Read metadata from the dataset's tables and views.

When applied at the project or organization level, this role provides permissions to:

List all datasets and read metadata for all datasets in the project.
List all tables and views and read metadata for all tables and views in the project.

Additional roles are necessary to allow the running of jobs.

Lowest-level resources where you can grant this role:

Dataset
These resources within a dataset:

Table
View
Routine

This role can also be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.models.getMetadata

bigquery.models.list

bigquery.routines.get

bigquery.routines.list

bigquery.tables.get

bigquery.tables.getIamPolicy

bigquery.tables.list

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery ObjectRef Admin

(roles/bigquery.objectRefAdmin)

Administer ObjectRef resources that includes read and write permissions

Lowest-level resources where you can grant this role:

Connection

This role can also be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.objectRefs.*

bigquery.objectRefs.read
bigquery.objectRefs.write

BigQuery ObjectRef Reader

(roles/bigquery.objectRefReader)

Role for reading referenced objects via ObjectRefs in BigQuery

Lowest-level resources where you can grant this role:

Connection

This role can also be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.objectRefs.read

BigQuery Read Session User

(roles/bigquery.readSessionUser)

Provides the ability to create and use read sessions.

This role can only be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Resource Admin

(roles/bigquery.resourceAdmin)

Administers BigQuery workloads, including slot assignments, commitments, and reservations.

This role can only be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.bireservations.*

bigquery.bireservations.get
bigquery.bireservations.update

bigquery.capacityCommitments.*

bigquery.capacityCommitments.create
bigquery.capacityCommitments.delete
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.capacityCommitments.update

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.*

bigquery.reservationAssignments.create
bigquery.reservationAssignments.delete
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search

bigquery.reservations.*

bigquery.reservations.create
bigquery.reservations.delete
bigquery.reservations.get
bigquery.reservations.list
bigquery.reservations.listFailoverDatasets
bigquery.reservations.update
bigquery.reservations.use

recommender.bigqueryCapacityCommitmentsInsights.*

recommender.bigqueryCapacityCommitmentsInsights.get
recommender.bigqueryCapacityCommitmentsInsights.list
recommender.bigqueryCapacityCommitmentsInsights.update

recommender.bigqueryCapacityCommitmentsRecommendations.*

recommender.bigqueryCapacityCommitmentsRecommendations.get
recommender.bigqueryCapacityCommitmentsRecommendations.list
recommender.bigqueryCapacityCommitmentsRecommendations.update

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Resource Editor

(roles/bigquery.resourceEditor)

Manages BigQuery workloads, but is unable to create or modify slot commitments.

This role can only be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.*

bigquery.reservationAssignments.create
bigquery.reservationAssignments.delete
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search

bigquery.reservations.*

bigquery.reservations.create
bigquery.reservations.delete
bigquery.reservations.get
bigquery.reservations.list
bigquery.reservations.listFailoverDatasets
bigquery.reservations.update
bigquery.reservations.use

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Resource Viewer

(roles/bigquery.resourceViewer)

Can view BigQuery workloads, but cannot create or modify slot reservations or commitments.

This role can only be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.jobs.get

bigquery.jobs.list

bigquery.jobs.listAll

bigquery.jobs.listExecutionMetadata

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

bigquery.reservations.listFailoverDatasets

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Security Admin ^Beta

(roles/bigquery.securityAdmin)

Administer all BigQuery security controls

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.createTagBinding

bigquery.datasets.deleteTagBinding

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.datasets.listEffectiveTags

bigquery.datasets.listSharedDatasetUsage

bigquery.datasets.listTagBindings

bigquery.datasets.setIamPolicy

bigquery.datasets.update

bigquery.datasets.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.get

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.tables.createTagBinding

bigquery.tables.deleteTagBinding

bigquery.tables.get

bigquery.tables.getIamPolicy

bigquery.tables.list

bigquery.tables.listEffectiveTags

bigquery.tables.listTagBindings

bigquery.tables.setColumnDataPolicy

bigquery.tables.setIamPolicy

bigquery.tables.update

bigquery.tables.updateTag

dataplex.projects.search

BigQuery Studio Admin

(roles/bigquery.studioAdmin)

Combination role of BigQuery Admin, Dataform Admin, Notebook Runtime Admin and Dataproc Serverless Editor.

Lowest-level resources where you can grant this role:

Dataset
These resources within a dataset:

Table
View
Routine

Connection
Saved query
Data canvas
Data preparation
Pipeline
Repository

This role can also be granted on Resource Manager resources (projects, folders, and organizations).

aiplatform.notebookRuntimeTemplates.*

aiplatform.notebookRuntimeTemplates.apply
aiplatform.notebookRuntimeTemplates.create
aiplatform.notebookRuntimeTemplates.delete
aiplatform.notebookRuntimeTemplates.get
aiplatform.notebookRuntimeTemplates.getIamPolicy
aiplatform.notebookRuntimeTemplates.list
aiplatform.notebookRuntimeTemplates.setIamPolicy
aiplatform.notebookRuntimeTemplates.update

aiplatform.notebookRuntimes.*

aiplatform.notebookRuntimes.assign
aiplatform.notebookRuntimes.delete
aiplatform.notebookRuntimes.get
aiplatform.notebookRuntimes.list
aiplatform.notebookRuntimes.start
aiplatform.notebookRuntimes.update
aiplatform.notebookRuntimes.upgrade

aiplatform.operations.list

bigquery.bireservations.*

bigquery.bireservations.get
bigquery.bireservations.update

bigquery.capacityCommitments.*

bigquery.capacityCommitments.create
bigquery.capacityCommitments.delete
bigquery.capacityCommitments.get
bigquery.capacityCommitments.list
bigquery.capacityCommitments.update

bigquery.config.*

bigquery.config.get
bigquery.config.update

bigquery.connections.*

bigquery.connections.create
bigquery.connections.delegate
bigquery.connections.delete
bigquery.connections.get
bigquery.connections.getIamPolicy
bigquery.connections.list
bigquery.connections.setIamPolicy
bigquery.connections.update
bigquery.connections.updateTag
bigquery.connections.use

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

bigquery.datasets.*

bigquery.datasets.create
bigquery.datasets.createTagBinding
bigquery.datasets.delete
bigquery.datasets.deleteTagBinding
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.link
bigquery.datasets.listEffectiveTags
bigquery.datasets.listSharedDatasetUsage
bigquery.datasets.listTagBindings
bigquery.datasets.setIamPolicy
bigquery.datasets.update
bigquery.datasets.updateTag

bigquery.jobs.*

bigquery.jobs.create
bigquery.jobs.delete
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.listExecutionMetadata
bigquery.jobs.update

bigquery.models.*

bigquery.models.create
bigquery.models.delete
bigquery.models.export
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.models.updateData
bigquery.models.updateMetadata
bigquery.models.updateTag

bigquery.objectRefs.*

bigquery.objectRefs.read
bigquery.objectRefs.write

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

bigquery.reservationAssignments.*

bigquery.reservationAssignments.create
bigquery.reservationAssignments.delete
bigquery.reservationAssignments.list
bigquery.reservationAssignments.search

bigquery.reservations.*

bigquery.reservations.create
bigquery.reservations.delete
bigquery.reservations.get
bigquery.reservations.list
bigquery.reservations.listFailoverDatasets
bigquery.reservations.update
bigquery.reservations.use

bigquery.routines.*

bigquery.routines.create
bigquery.routines.delete
bigquery.routines.get
bigquery.routines.list
bigquery.routines.update
bigquery.routines.updateTag

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.delete

bigquery.rowAccessPolicies.get

bigquery.rowAccessPolicies.getIamPolicy

bigquery.rowAccessPolicies.list

bigquery.rowAccessPolicies.overrideTimeTravelRestrictions

bigquery.rowAccessPolicies.setIamPolicy

bigquery.rowAccessPolicies.update

bigquery.savedqueries.*

bigquery.savedqueries.create
bigquery.savedqueries.delete
bigquery.savedqueries.get
bigquery.savedqueries.list
bigquery.savedqueries.update

bigquery.tables.*

bigquery.tables.create
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.createTagBinding
bigquery.tables.delete
bigquery.tables.deleteIndex
bigquery.tables.deleteSnapshot
bigquery.tables.deleteTagBinding
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.listEffectiveTags
bigquery.tables.listTagBindings
bigquery.tables.replicateData
bigquery.tables.restoreSnapshot
bigquery.tables.setCategory
bigquery.tables.setColumnDataPolicy
bigquery.tables.setIamPolicy
bigquery.tables.update
bigquery.tables.updateData
bigquery.tables.updateIndex
bigquery.tables.updateTag

bigquery.transfers.*

bigquery.transfers.get
bigquery.transfers.update

bigquerymigration.translation.translate

cloudaicompanion.codeToolsSettings.*

cloudaicompanion.codeToolsSettings.create
cloudaicompanion.codeToolsSettings.delete
cloudaicompanion.codeToolsSettings.get
cloudaicompanion.codeToolsSettings.list
cloudaicompanion.codeToolsSettings.update

cloudaicompanion.companions.*

cloudaicompanion.companions.generateChat
cloudaicompanion.companions.generateCode

cloudaicompanion.dataSharingWithGoogleSettings.*

cloudaicompanion.dataSharingWithGoogleSettings.create
cloudaicompanion.dataSharingWithGoogleSettings.delete
cloudaicompanion.dataSharingWithGoogleSettings.get
cloudaicompanion.dataSharingWithGoogleSettings.list
cloudaicompanion.dataSharingWithGoogleSettings.update

cloudaicompanion.entitlements.get

cloudaicompanion.geminiGcpEnablementSettings.*

cloudaicompanion.geminiGcpEnablementSettings.create
cloudaicompanion.geminiGcpEnablementSettings.delete
cloudaicompanion.geminiGcpEnablementSettings.get
cloudaicompanion.geminiGcpEnablementSettings.list
cloudaicompanion.geminiGcpEnablementSettings.update

cloudaicompanion.instances.*

cloudaicompanion.instances.completeCode
cloudaicompanion.instances.completeTask
cloudaicompanion.instances.exportMetrics
cloudaicompanion.instances.generateCode
cloudaicompanion.instances.generateText
cloudaicompanion.instances.queryEffectiveSetting
cloudaicompanion.instances.queryEffectiveSettingBindings

cloudaicompanion.licenses.selfAssign

cloudaicompanion.loggingSettings.*

cloudaicompanion.loggingSettings.create
cloudaicompanion.loggingSettings.delete
cloudaicompanion.loggingSettings.get
cloudaicompanion.loggingSettings.list
cloudaicompanion.loggingSettings.update

cloudaicompanion.operations.get

cloudaicompanion.releaseChannelSettings.*

cloudaicompanion.releaseChannelSettings.create
cloudaicompanion.releaseChannelSettings.delete
cloudaicompanion.releaseChannelSettings.get
cloudaicompanion.releaseChannelSettings.list
cloudaicompanion.releaseChannelSettings.update

cloudaicompanion.settingBindings.*

cloudaicompanion.settingBindings.codeToolsSettingsCreate
cloudaicompanion.settingBindings.codeToolsSettingsDelete
cloudaicompanion.settingBindings.codeToolsSettingsGet
cloudaicompanion.settingBindings.codeToolsSettingsList
cloudaicompanion.settingBindings.codeToolsSettingsUpdate
cloudaicompanion.settingBindings.codeToolsSettingsUse
cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsCreate
cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsDelete
cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsGet
cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsList
cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsUpdate
cloudaicompanion.settingBindings.dataSharingWithGoogleSettingsUse
cloudaicompanion.settingBindings.geminiGcpEnablementSettingsCreate
cloudaicompanion.settingBindings.geminiGcpEnablementSettingsDelete
cloudaicompanion.settingBindings.geminiGcpEnablementSettingsGet
cloudaicompanion.settingBindings.geminiGcpEnablementSettingsList
cloudaicompanion.settingBindings.geminiGcpEnablementSettingsUpdate
cloudaicompanion.settingBindings.geminiGcpEnablementSettingsUse
cloudaicompanion.settingBindings.loggingSettingsCreate
cloudaicompanion.settingBindings.loggingSettingsDelete
cloudaicompanion.settingBindings.loggingSettingsGet
cloudaicompanion.settingBindings.loggingSettingsList
cloudaicompanion.settingBindings.loggingSettingsUpdate
cloudaicompanion.settingBindings.loggingSettingsUse
cloudaicompanion.settingBindings.releaseChannelSettingsCreate
cloudaicompanion.settingBindings.releaseChannelSettingsDelete
cloudaicompanion.settingBindings.releaseChannelSettingsGet
cloudaicompanion.settingBindings.releaseChannelSettingsList
cloudaicompanion.settingBindings.releaseChannelSettingsUpdate
cloudaicompanion.settingBindings.releaseChannelSettingsUse

cloudaicompanion.topics.create

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.reservations.get

compute.reservations.list

compute.zones.*

compute.zones.get
compute.zones.list

dataform.*

dataform.commentThreads.create
dataform.commentThreads.delete
dataform.commentThreads.get
dataform.commentThreads.list
dataform.commentThreads.update
dataform.comments.create
dataform.comments.delete
dataform.comments.get
dataform.comments.list
dataform.comments.update
dataform.compilationResults.create
dataform.compilationResults.get
dataform.compilationResults.list
dataform.compilationResults.query
dataform.config.get
dataform.config.update
dataform.locations.get
dataform.locations.list
dataform.releaseConfigs.create
dataform.releaseConfigs.delete
dataform.releaseConfigs.get
dataform.releaseConfigs.list
dataform.releaseConfigs.update
dataform.repositories.commit
dataform.repositories.computeAccessTokenStatus
dataform.repositories.create
dataform.repositories.delete
dataform.repositories.fetchHistory
dataform.repositories.fetchRemoteBranches
dataform.repositories.get
dataform.repositories.getIamPolicy
dataform.repositories.list
dataform.repositories.queryDirectoryContents
dataform.repositories.readFile
dataform.repositories.setIamPolicy
dataform.repositories.update
dataform.workflowConfigs.create
dataform.workflowConfigs.delete
dataform.workflowConfigs.get
dataform.workflowConfigs.list
dataform.workflowConfigs.update
dataform.workflowInvocations.cancel
dataform.workflowInvocations.create
dataform.workflowInvocations.delete
dataform.workflowInvocations.get
dataform.workflowInvocations.list
dataform.workflowInvocations.query
dataform.workspaces.commit
dataform.workspaces.create
dataform.workspaces.delete
dataform.workspaces.fetchFileDiff
dataform.workspaces.fetchFileGitStatuses
dataform.workspaces.fetchGitAheadBehind
dataform.workspaces.get
dataform.workspaces.getIamPolicy
dataform.workspaces.installNpmPackages
dataform.workspaces.list
dataform.workspaces.makeDirectory
dataform.workspaces.moveDirectory
dataform.workspaces.moveFile
dataform.workspaces.pull
dataform.workspaces.push
dataform.workspaces.queryDirectoryContents
dataform.workspaces.readFile
dataform.workspaces.removeDirectory
dataform.workspaces.removeFile
dataform.workspaces.reset
dataform.workspaces.searchFiles
dataform.workspaces.setIamPolicy
dataform.workspaces.writeFile

dataplex.datascans.*

dataplex.datascans.create
dataplex.datascans.delete
dataplex.datascans.get
dataplex.datascans.getData
dataplex.datascans.getIamPolicy
dataplex.datascans.list
dataplex.datascans.run
dataplex.datascans.setIamPolicy
dataplex.datascans.update

dataplex.operations.get

dataplex.operations.list

dataplex.projects.search

dataproc.batches.*

dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.batches.sparkApplicationRead
dataproc.batches.sparkApplicationWrite

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.*

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.update

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Studio User

(roles/bigquery.studioUser)

Combination role of BigQuery Job User, BigQuery Read Session User, Dataform Code Creator, Notebook Runtime User and Dataproc Serverless Editor.

Lowest-level resources where you can grant this role:

Saved query
Data canvas
Data preparation
Pipeline
Repository

This role can also be granted on Resource Manager resources (projects, folders, and organizations).

aiplatform.notebookRuntimeTemplates.apply

aiplatform.notebookRuntimeTemplates.get

aiplatform.notebookRuntimeTemplates.getIamPolicy

aiplatform.notebookRuntimeTemplates.list

aiplatform.notebookRuntimes.assign

aiplatform.notebookRuntimes.get

aiplatform.notebookRuntimes.list

aiplatform.operations.list

bigquery.config.get

bigquery.jobs.create

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

cloudaicompanion.companions.*

cloudaicompanion.companions.generateChat
cloudaicompanion.companions.generateCode

cloudaicompanion.entitlements.get

cloudaicompanion.instances.*

cloudaicompanion.instances.completeCode
cloudaicompanion.instances.completeTask
cloudaicompanion.instances.exportMetrics
cloudaicompanion.instances.generateCode
cloudaicompanion.instances.generateText
cloudaicompanion.instances.queryEffectiveSetting
cloudaicompanion.instances.queryEffectiveSettingBindings

cloudaicompanion.licenses.selfAssign

cloudaicompanion.operations.get

cloudaicompanion.topics.create

compute.projects.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.zones.*

compute.zones.get
compute.zones.list

dataform.commentThreads.get

dataform.commentThreads.list

dataform.comments.get

dataform.comments.list

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.repositories.create

dataform.repositories.list

dataplex.projects.search

dataproc.batches.*

dataproc.batches.analyze
dataproc.batches.cancel
dataproc.batches.create
dataproc.batches.delete
dataproc.batches.get
dataproc.batches.list
dataproc.batches.sparkApplicationRead
dataproc.batches.sparkApplicationWrite

dataproc.operations.cancel

dataproc.operations.delete

dataproc.operations.get

dataproc.operations.list

dataproc.sessionTemplates.*

dataproc.sessionTemplates.create
dataproc.sessionTemplates.delete
dataproc.sessionTemplates.get
dataproc.sessionTemplates.list
dataproc.sessionTemplates.update

dataproc.sessions.*

dataproc.sessions.create
dataproc.sessions.delete
dataproc.sessions.get
dataproc.sessions.list
dataproc.sessions.sparkApplicationRead
dataproc.sessions.sparkApplicationWrite
dataproc.sessions.terminate

dataprocrm.nodePools.*

dataprocrm.nodePools.create
dataprocrm.nodePools.delete
dataprocrm.nodePools.deleteNodes
dataprocrm.nodePools.get
dataprocrm.nodePools.list
dataprocrm.nodePools.resize

dataprocrm.nodes.get

dataprocrm.nodes.heartbeat

dataprocrm.nodes.list

dataprocrm.nodes.update

dataprocrm.operations.get

dataprocrm.operations.list

dataprocrm.workloads.*

dataprocrm.workloads.cancel
dataprocrm.workloads.create
dataprocrm.workloads.delete
dataprocrm.workloads.get
dataprocrm.workloads.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery User

(roles/bigquery.user)

When granted on a dataset, this role provides the ability to read the dataset's metadata and list tables in the dataset.

When granted on a project, this role also provides the ability to run jobs, including queries, within the project. A principal with this role can enumerate their own jobs, cancel their own jobs, and enumerate datasets within a project. Additionally, allows the creation of new datasets within the project; the creator is granted the BigQuery Data Owner role (roles/bigquery.dataOwner) on these new datasets.

Lowest-level resources where you can grant this role:

Dataset
These resources within a dataset:

Routine

This role can also be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.bireservations.get

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.config.get

bigquery.datasets.create

bigquery.datasets.get

bigquery.datasets.getIamPolicy

bigquery.jobs.create

bigquery.jobs.list

bigquery.models.list

bigquery.readsessions.*

bigquery.readsessions.create
bigquery.readsessions.getData
bigquery.readsessions.update

bigquery.reservationAssignments.list

bigquery.reservationAssignments.search

bigquery.reservations.get

bigquery.reservations.list

bigquery.reservations.listFailoverDatasets

bigquery.reservations.use

bigquery.routines.list

bigquery.savedqueries.get

bigquery.savedqueries.list

bigquery.tables.list

bigquery.transfers.get

bigquerymigration.translation.translate

cloudkms.keyHandles.*

cloudkms.keyHandles.create
cloudkms.keyHandles.get
cloudkms.keyHandles.list

cloudkms.operations.get

cloudkms.projects.showEffectiveAutokeyConfig

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.repositories.create

dataform.repositories.list

dataplex.projects.search

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Connection API roles

This table lists the IAM roles and permissions for BigQuery Connection API. To search through all roles and permissions, see the role and permission index.

Role Permissions

Role	Permissions
BigQuery Connection Service Agent (`roles/bigqueryconnection.serviceAgent`) Gives BigQuery Connection Service access to Cloud SQL instances in user projects. Warning: Do not grant service agent roles to any principals except service agents.	`cloudsql.instances.connect` `cloudsql.instances.get` `logging.logEntries.create` `logging.logEntries.route` `monitoring.metricDescriptors.create` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.*` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.timeSeries.create`

BigQuery Connection Service Agent

(roles/bigqueryconnection.serviceAgent)

Gives BigQuery Connection Service access to Cloud SQL instances in user projects.

cloudsql.instances.connect

cloudsql.instances.get

logging.logEntries.create

logging.logEntries.route

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

BigQuery Continuous Query roles

This table lists the IAM roles and permissions for BigQuery Continuous Query. To search through all roles and permissions, see the role and permission index.

Role Permissions

Role	Permissions
BigQuery Continuous Query Service Agent (`roles/bigquerycontinuousquery.serviceAgent`) Gives BigQuery Continuous Query access to the service accounts in the user project. Warning: Do not grant service agent roles to any principals except service agents.	`iam.serviceAccounts.getAccessToken`

BigQuery Continuous Query Service Agent

(roles/bigquerycontinuousquery.serviceAgent)

Gives BigQuery Continuous Query access to the service accounts in the user project.

iam.serviceAccounts.getAccessToken

BigQuery Data Policy roles

This table lists the IAM roles and permissions for BigQuery Data Policy. To search through all roles and permissions, see the role and permission index.

Role Permissions

Role	Permissions
BigQuery Data Policy Admin (`roles/bigquerydatapolicy.admin`) Role for managing Data Policies in BigQuery This role can only be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.dataPolicies.create` `bigquery.dataPolicies.delete` `bigquery.dataPolicies.get` `bigquery.dataPolicies.getIamPolicy` `bigquery.dataPolicies.list` `bigquery.dataPolicies.setIamPolicy` `bigquery.dataPolicies.update`
Masked Reader (`roles/bigquerydatapolicy.maskedReader`) Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns This role can only be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.dataPolicies.maskedGet`
Raw Data Reader ^Beta (`roles/bigquerydatapolicy.rawDataReader`) Raw read access to sub-resources associated with a data policy, for example, BigQuery columns This role can only be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.dataPolicies.getRawData`
BigQuery Data Policy Viewer (`roles/bigquerydatapolicy.viewer`) Role for viewing Data Policies in BigQuery This role can only be granted on Resource Manager resources (projects, folders, and organizations).	`bigquery.dataPolicies.get` `bigquery.dataPolicies.list`

BigQuery Data Policy Admin

(roles/bigquerydatapolicy.admin)

Role for managing Data Policies in BigQuery

This role can only be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.list

bigquery.dataPolicies.setIamPolicy

bigquery.dataPolicies.update

Masked Reader

(roles/bigquerydatapolicy.maskedReader)

Masked read access to sub-resources tagged by the policy tag associated with a data policy, for example, BigQuery columns

This role can only be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.dataPolicies.maskedGet

Raw Data Reader ^Beta

(roles/bigquerydatapolicy.rawDataReader)

Raw read access to sub-resources associated with a data policy, for example, BigQuery columns

This role can only be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.dataPolicies.getRawData

BigQuery Data Policy Viewer

(roles/bigquerydatapolicy.viewer)

Role for viewing Data Policies in BigQuery

This role can only be granted on Resource Manager resources (projects, folders, and organizations).

bigquery.dataPolicies.get

bigquery.dataPolicies.list

BigQuery Data Transfer Service roles

This table lists the IAM roles and permissions for BigQuery Data Transfer Service. To search through all roles and permissions, see the role and permission index.

Role Permissions

Role	Permissions
BigQuery Data Transfer Service Agent (`roles/bigquerydatatransfer.serviceAgent`) Gives BigQuery Data Transfer Service access to start BigQuery jobs in consumer project. Warning: Do not grant service agent roles to any principals except service agents.	`bigquery.config.get` `bigquery.jobs.create` `compute.networkAttachments.get` `compute.networkAttachments.update` `compute.regionOperations.get` `compute.subnetworks.use` `dataform.locations.*` `dataform.locations.get` `dataform.locations.list` `dataform.repositories.create` `dataform.repositories.list` `iam.serviceAccounts.getAccessToken` `logging.logEntries.create` `logging.logEntries.route` `resourcemanager.projects.get` `resourcemanager.projects.list` `serviceusage.services.use`

BigQuery Data Transfer Service Agent

(roles/bigquerydatatransfer.serviceAgent)

Gives BigQuery Data Transfer Service access to start BigQuery jobs in consumer project.

bigquery.config.get

bigquery.jobs.create

compute.networkAttachments.get

compute.networkAttachments.update

compute.regionOperations.get

compute.subnetworks.use

dataform.locations.*

dataform.locations.get
dataform.locations.list

dataform.repositories.create

dataform.repositories.list

iam.serviceAccounts.getAccessToken

logging.logEntries.create

logging.logEntries.route

resourcemanager.projects.get

resourcemanager.projects.list

serviceusage.services.use

BigQuery Engine for Apache Flink roles

This table lists the IAM roles and permissions for BigQuery Engine for Apache Flink. To search through all roles and permissions, see the role and permission index.

Role Permissions

Role	Permissions
Managed Flink Admin ^Beta (`roles/managedflink.admin`) Full access to Managed Flink resources.	`managedflink.*` `managedflink.deployments.create` `managedflink.deployments.delete` `managedflink.deployments.get` `managedflink.deployments.list` `managedflink.deployments.update` `managedflink.jobs.create` `managedflink.jobs.delete` `managedflink.jobs.get` `managedflink.jobs.list` `managedflink.jobs.update` `managedflink.locations.get` `managedflink.locations.list` `managedflink.operations.cancel` `managedflink.operations.delete` `managedflink.operations.get` `managedflink.operations.list` `managedflink.sessions.create` `managedflink.sessions.delete` `managedflink.sessions.get` `managedflink.sessions.list` `managedflink.sessions.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Managed Flink Developer ^Beta (`roles/managedflink.developer`) Full access to Managed Flink Jobs and Sessions and read access to Deployments.	`managedflink.deployments.get` `managedflink.deployments.list` `managedflink.jobs.` `managedflink.jobs.create` `managedflink.jobs.delete` `managedflink.jobs.get` `managedflink.jobs.list` `managedflink.jobs.update` `managedflink.locations.` `managedflink.locations.get` `managedflink.locations.list` `managedflink.operations.get` `managedflink.operations.list` `managedflink.sessions.*` `managedflink.sessions.create` `managedflink.sessions.delete` `managedflink.sessions.get` `managedflink.sessions.list` `managedflink.sessions.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Managed Flink Service Agent (`roles/managedflink.serviceAgent`) Gives Managed Flink Service Agent access to Cloud Platform resources. Warning: Do not grant service agent roles to any principals except service agents.	`compute.networkAttachments.create` `compute.networkAttachments.delete` `compute.networkAttachments.get` `compute.networkAttachments.list` `compute.networkAttachments.update` `compute.networks.get` `compute.networks.list` `compute.regionOperations.get` `compute.subnetworks.get` `compute.subnetworks.list` `compute.subnetworks.use` `dns.networks.targetWithPeeringZone` `managedkafka.clusters.get` `managedkafka.clusters.list` `managedkafka.clusters.update` `monitoring.metricDescriptors.create` `monitoring.metricDescriptors.get` `monitoring.metricDescriptors.list` `monitoring.monitoredResourceDescriptors.*` `monitoring.monitoredResourceDescriptors.get` `monitoring.monitoredResourceDescriptors.list` `monitoring.timeSeries.create` `serviceusage.services.use` `storage.objects.get`
Managed Flink Viewer ^Beta (`roles/managedflink.viewer`) Readonly access to Managed Flink resources.	`managedflink.deployments.get` `managedflink.deployments.list` `managedflink.jobs.get` `managedflink.jobs.list` `managedflink.locations.*` `managedflink.locations.get` `managedflink.locations.list` `managedflink.operations.get` `managedflink.operations.list` `managedflink.sessions.get` `managedflink.sessions.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Managed Flink Admin ^Beta

(roles/managedflink.admin)

Full access to Managed Flink resources.

managedflink.*

managedflink.deployments.create
managedflink.deployments.delete
managedflink.deployments.get
managedflink.deployments.list
managedflink.deployments.update
managedflink.jobs.create
managedflink.jobs.delete
managedflink.jobs.get
managedflink.jobs.list
managedflink.jobs.update
managedflink.locations.get
managedflink.locations.list
managedflink.operations.cancel
managedflink.operations.delete
managedflink.operations.get
managedflink.operations.list
managedflink.sessions.create
managedflink.sessions.delete
managedflink.sessions.get
managedflink.sessions.list
managedflink.sessions.update

resourcemanager.projects.get

resourcemanager.projects.list

Managed Flink Developer ^Beta

(roles/managedflink.developer)

Full access to Managed Flink Jobs and Sessions and read access to Deployments.

managedflink.deployments.get

managedflink.deployments.list

managedflink.jobs.*

managedflink.jobs.create
managedflink.jobs.delete
managedflink.jobs.get
managedflink.jobs.list
managedflink.jobs.update

managedflink.locations.*

managedflink.locations.get
managedflink.locations.list

managedflink.operations.get

managedflink.operations.list

managedflink.sessions.*

managedflink.sessions.create
managedflink.sessions.delete
managedflink.sessions.get
managedflink.sessions.list
managedflink.sessions.update

resourcemanager.projects.get

resourcemanager.projects.list

Managed Flink Service Agent

(roles/managedflink.serviceAgent)

Gives Managed Flink Service Agent access to Cloud Platform resources.

compute.networkAttachments.create

compute.networkAttachments.delete

compute.networkAttachments.get

compute.networkAttachments.list

compute.networkAttachments.update

compute.networks.get

compute.networks.list

compute.regionOperations.get

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

dns.networks.targetWithPeeringZone

managedkafka.clusters.get

managedkafka.clusters.list

managedkafka.clusters.update

monitoring.metricDescriptors.create

monitoring.metricDescriptors.get

monitoring.metricDescriptors.list

monitoring.monitoredResourceDescriptors.*

monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list

monitoring.timeSeries.create

serviceusage.services.use

storage.objects.get

Managed Flink Viewer ^Beta

(roles/managedflink.viewer)

Readonly access to Managed Flink resources.

managedflink.deployments.get

managedflink.deployments.list

managedflink.jobs.get

managedflink.jobs.list

managedflink.locations.*

managedflink.locations.get
managedflink.locations.list

managedflink.operations.get

managedflink.operations.list

managedflink.sessions.get

managedflink.sessions.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery Migration Service roles

This table lists the IAM roles and permissions for BigQuery Migration Service. To search through all roles and permissions, see the role and permission index.

Role Permissions

Role	Permissions
MigrationWorkflow Editor (`roles/bigquerymigration.editor`) Editor of EDW migration workflows.	`bigquerymigration.subtasks.*` `bigquerymigration.subtasks.get` `bigquerymigration.subtasks.list` `bigquerymigration.workflows.create` `bigquerymigration.workflows.delete` `bigquerymigration.workflows.enableAiOutputTypes` `bigquerymigration.workflows.enableLineageOutputTypes` `bigquerymigration.workflows.enableOutputTypePermissions` `bigquerymigration.workflows.get` `bigquerymigration.workflows.list` `bigquerymigration.workflows.update`
Task Orchestrator (`roles/bigquerymigration.orchestrator`) Orchestrator of EDW migration tasks.	`bigquerymigration.workflows.orchestrateTask` `storage.objects.list`
Migration Translation User (`roles/bigquerymigration.translationUser`) User of EDW migration interactive SQL translation service.	`bigquerymigration.translation.translate`
MigrationWorkflow Viewer (`roles/bigquerymigration.viewer`) Viewer of EDW migration MigrationWorkflow.	`bigquerymigration.subtasks.*` `bigquerymigration.subtasks.get` `bigquerymigration.subtasks.list` `bigquerymigration.workflows.get` `bigquerymigration.workflows.list`
Task Worker (`roles/bigquerymigration.worker`) Worker that executes EDW migration subtasks.	`storage.objects.create` `storage.objects.get` `storage.objects.list`

MigrationWorkflow Editor

(roles/bigquerymigration.editor)

Editor of EDW migration workflows.

bigquerymigration.subtasks.*

bigquerymigration.subtasks.get
bigquerymigration.subtasks.list

bigquerymigration.workflows.create

bigquerymigration.workflows.delete

bigquerymigration.workflows.enableAiOutputTypes

bigquerymigration.workflows.enableLineageOutputTypes

bigquerymigration.workflows.enableOutputTypePermissions

bigquerymigration.workflows.get

bigquerymigration.workflows.list

bigquerymigration.workflows.update

Task Orchestrator

(roles/bigquerymigration.orchestrator)

Orchestrator of EDW migration tasks.

bigquerymigration.workflows.orchestrateTask

storage.objects.list

Migration Translation User

(roles/bigquerymigration.translationUser)

User of EDW migration interactive SQL translation service.

bigquerymigration.translation.translate

MigrationWorkflow Viewer

(roles/bigquerymigration.viewer)

Viewer of EDW migration MigrationWorkflow.

bigquerymigration.subtasks.*

bigquerymigration.subtasks.get
bigquerymigration.subtasks.list

bigquerymigration.workflows.get

bigquerymigration.workflows.list

Task Worker

(roles/bigquerymigration.worker)

Worker that executes EDW migration subtasks.

storage.objects.create

storage.objects.get

storage.objects.list

BigQuery Omni roles

This table lists the IAM roles and permissions for BigQuery Omni. To search through all roles and permissions, see the role and permission index.

Role Permissions

Role	Permissions
BigQuery Omni Service Agent (`roles/bigqueryomni.serviceAgent`) Gives BigQuery Omni access to tables in user projects. Warning: Do not grant service agent roles to any principals except service agents.	`bigquery.jobs.create` `bigquery.tables.updateData`

BigQuery Omni Service Agent

(roles/bigqueryomni.serviceAgent)

Gives BigQuery Omni access to tables in user projects.

bigquery.jobs.create

bigquery.tables.updateData

This table lists the IAM roles and permissions for BigQuery sharing. To search through all roles and permissions, see the role and permission index.

Role Permissions

Role	Permissions
Analytics Hub Admin (`roles/analyticshub.admin`) Administer Data Exchanges and Listings	`analyticshub.dataExchanges.create` `analyticshub.dataExchanges.delete` `analyticshub.dataExchanges.get` `analyticshub.dataExchanges.getIamPolicy` `analyticshub.dataExchanges.list` `analyticshub.dataExchanges.setIamPolicy` `analyticshub.dataExchanges.update` `analyticshub.dataExchanges.viewSubscriptions` `analyticshub.listings.create` `analyticshub.listings.delete` `analyticshub.listings.get` `analyticshub.listings.getIamPolicy` `analyticshub.listings.list` `analyticshub.listings.setIamPolicy` `analyticshub.listings.update` `analyticshub.listings.viewSubscriptions` `analyticshub.subscriptions.*` `analyticshub.subscriptions.create` `analyticshub.subscriptions.delete` `analyticshub.subscriptions.get` `analyticshub.subscriptions.list` `analyticshub.subscriptions.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Analytics Hub Listing Admin (`roles/analyticshub.listingAdmin`) Grants full control over the Listing, including updating, deleting and setting ACLs	`analyticshub.dataExchanges.get` `analyticshub.dataExchanges.getIamPolicy` `analyticshub.dataExchanges.list` `analyticshub.listings.delete` `analyticshub.listings.get` `analyticshub.listings.getIamPolicy` `analyticshub.listings.list` `analyticshub.listings.setIamPolicy` `analyticshub.listings.update` `analyticshub.listings.viewSubscriptions` `resourcemanager.projects.get` `resourcemanager.projects.list`
Analytics Hub Publisher (`roles/analyticshub.publisher`) Can publish to Data Exchanges thus creating Listings	`analyticshub.dataExchanges.get` `analyticshub.dataExchanges.getIamPolicy` `analyticshub.dataExchanges.list` `analyticshub.listings.create` `analyticshub.listings.get` `analyticshub.listings.getIamPolicy` `analyticshub.listings.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Analytics Hub Subscriber (`roles/analyticshub.subscriber`) Can browse Data Exchanges and subscribe to Listings	`analyticshub.dataExchanges.get` `analyticshub.dataExchanges.getIamPolicy` `analyticshub.dataExchanges.list` `analyticshub.dataExchanges.subscribe` `analyticshub.listings.get` `analyticshub.listings.getIamPolicy` `analyticshub.listings.list` `analyticshub.listings.subscribe` `resourcemanager.projects.get` `resourcemanager.projects.list`
Analytics Hub Subscription Owner (`roles/analyticshub.subscriptionOwner`) Grants full control over the Subscription, including updating and deleting	`analyticshub.dataExchanges.get` `analyticshub.dataExchanges.getIamPolicy` `analyticshub.dataExchanges.list` `analyticshub.listings.get` `analyticshub.listings.getIamPolicy` `analyticshub.listings.list` `analyticshub.subscriptions.*` `analyticshub.subscriptions.create` `analyticshub.subscriptions.delete` `analyticshub.subscriptions.get` `analyticshub.subscriptions.list` `analyticshub.subscriptions.update` `resourcemanager.projects.get` `resourcemanager.projects.list`
Analytics Hub Viewer (`roles/analyticshub.viewer`) Can browse Data Exchanges and Listings	`analyticshub.dataExchanges.get` `analyticshub.dataExchanges.getIamPolicy` `analyticshub.dataExchanges.list` `analyticshub.listings.get` `analyticshub.listings.getIamPolicy` `analyticshub.listings.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Analytics Hub Admin

(roles/analyticshub.admin)

Administer Data Exchanges and Listings

analyticshub.dataExchanges.create

analyticshub.dataExchanges.delete

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.dataExchanges.setIamPolicy

analyticshub.dataExchanges.update

analyticshub.dataExchanges.viewSubscriptions

analyticshub.listings.create

analyticshub.listings.delete

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.listings.setIamPolicy

analyticshub.listings.update

analyticshub.listings.viewSubscriptions

analyticshub.subscriptions.*

analyticshub.subscriptions.create
analyticshub.subscriptions.delete
analyticshub.subscriptions.get
analyticshub.subscriptions.list
analyticshub.subscriptions.update

resourcemanager.projects.get

resourcemanager.projects.list

Analytics Hub Listing Admin

(roles/analyticshub.listingAdmin)

Grants full control over the Listing, including updating, deleting and setting ACLs

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.delete

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.listings.setIamPolicy

analyticshub.listings.update

analyticshub.listings.viewSubscriptions

resourcemanager.projects.get

resourcemanager.projects.list

Analytics Hub Publisher

(roles/analyticshub.publisher)

Can publish to Data Exchanges thus creating Listings

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.create

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

resourcemanager.projects.get

resourcemanager.projects.list

Analytics Hub Subscriber

(roles/analyticshub.subscriber)

Can browse Data Exchanges and subscribe to Listings

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.dataExchanges.subscribe

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.listings.subscribe

resourcemanager.projects.get

resourcemanager.projects.list

Analytics Hub Subscription Owner

(roles/analyticshub.subscriptionOwner)

Grants full control over the Subscription, including updating and deleting

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

analyticshub.subscriptions.*

analyticshub.subscriptions.create
analyticshub.subscriptions.delete
analyticshub.subscriptions.get
analyticshub.subscriptions.list
analyticshub.subscriptions.update

resourcemanager.projects.get

resourcemanager.projects.list

Analytics Hub Viewer

(roles/analyticshub.viewer)

Can browse Data Exchanges and Listings

analyticshub.dataExchanges.get

analyticshub.dataExchanges.getIamPolicy

analyticshub.dataExchanges.list

analyticshub.listings.get

analyticshub.listings.getIamPolicy

analyticshub.listings.list

resourcemanager.projects.get

resourcemanager.projects.list

BigQuery permissions

The following tables list the permissions available in BigQuery. These are included in predefined roles and can be used in custom role definitions. To search through all roles and permissions, see the role and permission index.

BigQuery permissions

This table lists the IAM permissions for BigQuery and the roles that include them. To search through all roles and permissions, see the role and permission index.

Permission	Included in roles
`bigquery.bireservations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.bireservations.update`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.capacityCommitments.create`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.capacityCommitments.delete`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.capacityCommitments.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.capacityCommitments.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.capacityCommitments.update`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.config.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Job User (`roles/bigquery.jobUser`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery Studio User (`roles/bigquery.studioUser`) BigQuery User (`roles/bigquery.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Enterprise Knowledge Graph Service Agent (`roles/enterpriseknowledgegraph.serviceAgent`) FleetEngine Service Agent (`roles/fleetengine.serviceAgent`) Looker Service Agent (`roles/looker.serviceAgent`) BigQuery Data Transfer Service Agent (`roles/bigquerydatatransfer.serviceAgent`)
`bigquery.config.update`	Owner (`roles/owner`) Editor (`roles/editor`) Assured Workloads Administrator (`roles/assuredworkloads.admin`) Assured Workloads Editor (`roles/assuredworkloads.editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.connections.create`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Connection Admin (`roles/bigquery.connectionAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`)
`bigquery.connections.delegate`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Connection Admin (`roles/bigquery.connectionAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Datastream Bigquery Writer (`roles/datastream.bigqueryWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Dataplex Discovery BigLake Publishing Service Agent (`roles/dataplex.discoveryBigLakePublishingServiceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`)
`bigquery.connections.delete`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Connection Admin (`roles/bigquery.connectionAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`)
`bigquery.connections.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Connection Admin (`roles/bigquery.connectionAdmin`) BigQuery Connection User (`roles/bigquery.connectionUser`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Data Catalog Admin (`roles/datacatalog.admin`) Data Catalog Viewer (`roles/datacatalog.viewer`) Datastream Bigquery Writer (`roles/datastream.bigqueryWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`)
`bigquery.connections.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Connection Admin (`roles/bigquery.connectionAdmin`) BigQuery Connection User (`roles/bigquery.connectionUser`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`)
`bigquery.connections.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Connection Admin (`roles/bigquery.connectionAdmin`) BigQuery Connection User (`roles/bigquery.connectionUser`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`)
`bigquery.connections.setIamPolicy`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Connection Admin (`roles/bigquery.connectionAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Security Admin (`roles/iam.securityAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.connections.update`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Connection Admin (`roles/bigquery.connectionAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`)
`bigquery.connections.updateTag`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Connection Admin (`roles/bigquery.connectionAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Data Catalog Admin (`roles/datacatalog.admin`) Data Catalog Tag Editor (`roles/datacatalog.tagEditor`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`)
`bigquery.connections.use`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Connection Admin (`roles/bigquery.connectionAdmin`) BigQuery Connection User (`roles/bigquery.connectionUser`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Dataplex Discovery BigLake Publishing Service Agent (`roles/dataplex.discoveryBigLakePublishingServiceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`)
`bigquery.dataPolicies.create`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery Data Policy Admin (`roles/bigquerydatapolicy.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.dataPolicies.delete`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery Data Policy Admin (`roles/bigquerydatapolicy.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.dataPolicies.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery Data Policy Admin (`roles/bigquerydatapolicy.admin`) BigQuery Data Policy Viewer (`roles/bigquerydatapolicy.viewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.dataPolicies.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery Data Policy Admin (`roles/bigquerydatapolicy.admin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.dataPolicies.getRawData`	Raw Data Reader (`roles/bigquerydatapolicy.rawDataReader`)
`bigquery.dataPolicies.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery Data Policy Admin (`roles/bigquerydatapolicy.admin`) BigQuery Data Policy Viewer (`roles/bigquerydatapolicy.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.dataPolicies.maskedGet`	Masked Reader (`roles/bigquerydatapolicy.maskedReader`)
`bigquery.dataPolicies.setIamPolicy`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery Data Policy Admin (`roles/bigquerydatapolicy.admin`) Security Admin (`roles/iam.securityAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.dataPolicies.update`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery Data Policy Admin (`roles/bigquerydatapolicy.admin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.datasets.create`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) Datastream Bigquery Writer (`roles/datastream.bigqueryWriter`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Dataplex Discovery Publishing Service Agent (`roles/dataplex.discoveryPublishingServiceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Enterprise Knowledge Graph Service Agent (`roles/enterpriseknowledgegraph.serviceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) Firebase Crashlytics Service Agent (`roles/firebasecrashlytics.serviceAgent`) FleetEngine Service Agent (`roles/fleetengine.serviceAgent`) Cloud Logging Service Agent (`roles/logging.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) StorageInsights Service Agent (`roles/storageinsights.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.datasets.createTagBinding`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.datasets.delete`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`bigquery.datasets.deleteTagBinding`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.datasets.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Data Viewer (`roles/bigquery.dataViewer`) BigQuery Metadata Viewer (`roles/bigquery.metadataViewer`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) Data Catalog Admin (`roles/datacatalog.admin`) Data Catalog Viewer (`roles/datacatalog.viewer`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) Datastream Bigquery Writer (`roles/datastream.bigqueryWriter`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Dataplex Discovery Publishing Service Agent (`roles/dataplex.discoveryPublishingServiceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Enterprise Knowledge Graph Service Agent (`roles/enterpriseknowledgegraph.serviceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) Firebase Crashlytics Service Agent (`roles/firebasecrashlytics.serviceAgent`) FleetEngine Service Agent (`roles/fleetengine.serviceAgent`) Cloud Logging Service Agent (`roles/logging.serviceAgent`) Looker Service Agent (`roles/looker.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Security Center Control Service Agent (`roles/securitycenter.controlServiceAgent`) Security Health Analytics Service Agent (`roles/securitycenter.securityHealthAnalyticsServiceAgent`) Security Center Service Agent (`roles/securitycenter.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.datasets.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Data Viewer (`roles/bigquery.dataViewer`) BigQuery Metadata Viewer (`roles/bigquery.metadataViewer`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`bigquery.datasets.link`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Logging Service Agent (`roles/logging.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.datasets.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.datasets.listSharedDatasetUsage`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.datasets.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.datasets.setIamPolicy`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Security Admin (`roles/iam.securityAdmin`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.datasets.update`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) SLZ BQDW Blueprint Project Level Remediator (`roles/securedlandingzone.bqdwProjectRemediator`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`bigquery.datasets.updateTag`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Data Catalog Admin (`roles/datacatalog.admin`) Data Catalog Tag Editor (`roles/datacatalog.tagEditor`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.jobs.create`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Job User (`roles/bigquery.jobUser`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery Studio User (`roles/bigquery.studioUser`) BigQuery User (`roles/bigquery.user`) Datastream Bigquery Writer (`roles/datastream.bigqueryWriter`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) BigQuery Data Transfer Service Agent (`roles/bigquerydatatransfer.serviceAgent`) BigQuery Omni Service Agent (`roles/bigqueryomni.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Data Studio Service Agent (`roles/datastudio.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) Enterprise Knowledge Graph Service Agent (`roles/enterpriseknowledgegraph.serviceAgent`) FleetEngine Service Agent (`roles/fleetengine.serviceAgent`) Looker Service Agent (`roles/looker.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Monitoring Service Agent (`roles/monitoring.notificationServiceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.jobs.delete`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Datastream Bigquery Writer (`roles/datastream.bigqueryWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.jobs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Datastream Bigquery Writer (`roles/datastream.bigqueryWriter`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.jobs.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) Datastream Bigquery Writer (`roles/datastream.bigqueryWriter`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`)
`bigquery.jobs.listAll`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.jobs.listExecutionMetadata`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.jobs.update`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Datastream Bigquery Writer (`roles/datastream.bigqueryWriter`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`)
`bigquery.models.create`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.models.delete`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.models.export`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Data Viewer (`roles/bigquery.dataViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Looker Service Agent (`roles/looker.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.models.getData`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Data Viewer (`roles/bigquery.dataViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Looker Service Agent (`roles/looker.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.models.getMetadata`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Data Viewer (`roles/bigquery.dataViewer`) BigQuery Metadata Viewer (`roles/bigquery.metadataViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Data Catalog Admin (`roles/datacatalog.admin`) Data Catalog Viewer (`roles/datacatalog.viewer`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Looker Service Agent (`roles/looker.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.models.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Data Viewer (`roles/bigquery.dataViewer`) BigQuery Metadata Viewer (`roles/bigquery.metadataViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Looker Service Agent (`roles/looker.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.models.updateData`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.models.updateMetadata`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.models.updateTag`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Data Catalog Admin (`roles/datacatalog.admin`) Data Catalog Tag Editor (`roles/datacatalog.tagEditor`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.objectRefs.read`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery ObjectRef Admin (`roles/bigquery.objectRefAdmin`) BigQuery ObjectRef Reader (`roles/bigquery.objectRefReader`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`)
`bigquery.objectRefs.write`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery ObjectRef Admin (`roles/bigquery.objectRefAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.readsessions.create`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Read Session User (`roles/bigquery.readSessionUser`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery Studio User (`roles/bigquery.studioUser`) BigQuery User (`roles/bigquery.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Enterprise Knowledge Graph Service Agent (`roles/enterpriseknowledgegraph.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.readsessions.getData`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Read Session User (`roles/bigquery.readSessionUser`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery Studio User (`roles/bigquery.studioUser`) BigQuery User (`roles/bigquery.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Enterprise Knowledge Graph Service Agent (`roles/enterpriseknowledgegraph.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.readsessions.update`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Read Session User (`roles/bigquery.readSessionUser`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery Studio User (`roles/bigquery.studioUser`) BigQuery User (`roles/bigquery.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.reservationAssignments.create`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.reservationAssignments.delete`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.reservationAssignments.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.reservationAssignments.search`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.reservations.create`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.reservations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.reservations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.reservations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.reservations.listFailoverDatasets`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Resource Viewer (`roles/bigquery.resourceViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.reservations.update`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.reservations.use`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Resource Admin (`roles/bigquery.resourceAdmin`) BigQuery Resource Editor (`roles/bigquery.resourceEditor`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.routines.create`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`bigquery.routines.delete`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.routines.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Data Viewer (`roles/bigquery.dataViewer`) BigQuery Metadata Viewer (`roles/bigquery.metadataViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Data Catalog Admin (`roles/datacatalog.admin`) Data Catalog Viewer (`roles/datacatalog.viewer`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`bigquery.routines.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Data Viewer (`roles/bigquery.dataViewer`) BigQuery Metadata Viewer (`roles/bigquery.metadataViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.routines.update`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`bigquery.routines.updateTag`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Data Catalog Admin (`roles/datacatalog.admin`) Data Catalog Tag Editor (`roles/datacatalog.tagEditor`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.rowAccessPolicies.create`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.rowAccessPolicies.delete`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.rowAccessPolicies.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.rowAccessPolicies.getFilteredData`	BigQuery Filtered Data Viewer (`roles/bigquery.filteredDataViewer`)
`bigquery.rowAccessPolicies.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.rowAccessPolicies.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.rowAccessPolicies.overrideTimeTravelRestrictions`	BigQuery Admin (`roles/bigquery.admin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.rowAccessPolicies.setIamPolicy`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Security Admin (`roles/iam.securityAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.rowAccessPolicies.update`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.savedqueries.create`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.savedqueries.delete`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.savedqueries.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.savedqueries.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.savedqueries.update`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.tables.create`	BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Datastream Bigquery Writer (`roles/datastream.bigqueryWriter`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Enterprise Knowledge Graph Service Agent (`roles/enterpriseknowledgegraph.serviceAgent`) Firebase Crashlytics Service Agent (`roles/firebasecrashlytics.serviceAgent`) Looker Service Agent (`roles/looker.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.tables.createIndex`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.tables.createSnapshot`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Data Viewer (`roles/bigquery.dataViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Looker Service Agent (`roles/looker.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.tables.createTagBinding`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.tables.delete`	BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`)
`bigquery.tables.deleteIndex`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.tables.deleteSnapshot`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.tables.deleteTagBinding`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.tables.export`	BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Data Viewer (`roles/bigquery.dataViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Looker Service Agent (`roles/looker.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.tables.get`	BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Data Viewer (`roles/bigquery.dataViewer`) BigQuery Metadata Viewer (`roles/bigquery.metadataViewer`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Data Catalog Admin (`roles/datacatalog.admin`) Data Catalog Viewer (`roles/datacatalog.viewer`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) Datastream Bigquery Writer (`roles/datastream.bigqueryWriter`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Datapipelines Service Agent (`roles/datapipelines.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Enterprise Knowledge Graph Service Agent (`roles/enterpriseknowledgegraph.serviceAgent`) Firebase Crashlytics Service Agent (`roles/firebasecrashlytics.serviceAgent`) Looker Service Agent (`roles/looker.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.tables.getData`	BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Data Viewer (`roles/bigquery.dataViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) Datastream Bigquery Writer (`roles/datastream.bigqueryWriter`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Data Labeling Service Agent (`roles/datalabeling.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) Enterprise Knowledge Graph Service Agent (`roles/enterpriseknowledgegraph.serviceAgent`) Firebase Crashlytics Service Agent (`roles/firebasecrashlytics.serviceAgent`) FleetEngine Service Agent (`roles/fleetengine.serviceAgent`) Looker Service Agent (`roles/looker.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.tables.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Data Viewer (`roles/bigquery.dataViewer`) BigQuery Metadata Viewer (`roles/bigquery.metadataViewer`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.tables.list`	BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Data Viewer (`roles/bigquery.dataViewer`) BigQuery Metadata Viewer (`roles/bigquery.metadataViewer`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Reader (`roles/dataplex.storageDataReader`) Datastream Bigquery Writer (`roles/datastream.bigqueryWriter`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) Enterprise Knowledge Graph Service Agent (`roles/enterpriseknowledgegraph.serviceAgent`) Looker Service Agent (`roles/looker.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`)
`bigquery.tables.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.tables.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) DSPM Service Agent (`roles/dspm.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.tables.replicateData`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Data Viewer (`roles/bigquery.dataViewer`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.tables.restoreSnapshot`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.tables.setCategory`	BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`)
`bigquery.tables.setColumnDataPolicy`	BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.tables.setIamPolicy`	Owner (`roles/owner`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Security Admin (`roles/iam.securityAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.tables.update`	BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Datastream Bigquery Writer (`roles/datastream.bigqueryWriter`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Enterprise Knowledge Graph Service Agent (`roles/enterpriseknowledgegraph.serviceAgent`) Firebase Crashlytics Service Agent (`roles/firebasecrashlytics.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.tables.updateData`	BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Dataplex Storage Data Owner (`roles/dataplex.storageDataOwner`) Dataplex Storage Data Writer (`roles/dataplex.storageDataWriter`) Datastream Bigquery Writer (`roles/datastream.bigqueryWriter`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Vertex AI Custom Code Service Agent (`roles/aiplatform.customCodeServiceAgent`) Vertex AI Model Monitoring Service Agent (`roles/aiplatform.modelMonitoringServiceAgent`) Vertex AI RAG Data Service Agent (`roles/aiplatform.ragServiceAgent`) Vertex AI Service Agent (`roles/aiplatform.serviceAgent`) Vertex AI Tuning Service Agent (`roles/aiplatform.tuningServiceAgent`) AutoML Service Agent (`roles/automl.serviceAgent`) Recommendations AI Service Agent (`roles/automlrecommendations.serviceAgent`) BigQuery Omni Service Agent (`roles/bigqueryomni.serviceAgent`) Chronicle Service Agent (`roles/chronicle.serviceAgent`) Cloud Asset Service Agent (`roles/cloudasset.serviceAgent`) Cloud Deployment Manager Service Agent (`roles/clouddeploymentmanager.serviceAgent`) Contact Center AI Insights Service Agent (`roles/contactcenterinsights.serviceAgent`) Kubernetes Engine Service Agent (`roles/container.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`) Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Datastream Service Agent (`roles/datastream.serviceAgent`) Dialogflow Service Agent (`roles/dialogflow.serviceAgent`) Discovery Engine Service Agent (`roles/discoveryengine.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Enterprise Knowledge Graph Service Agent (`roles/enterpriseknowledgegraph.serviceAgent`) Firebase Crashlytics Service Agent (`roles/firebasecrashlytics.serviceAgent`) AI Platform Service Agent (`roles/ml.serviceAgent`) Retail Service Agent (`roles/retail.serviceAgent`) Spectrum SAS Service Agent (`roles/spectrumsas.serviceAgent`) Cloud Vision AI Service Agent (`roles/visionai.serviceAgent`) Vertex AI Batch Prediction Service Agent (`roles/aiplatform.batchPredictionServiceAgent`)
`bigquery.tables.updateIndex`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.tables.updateTag`	BigQuery Admin (`roles/bigquery.admin`) BigQuery Data Editor (`roles/bigquery.dataEditor`) BigQuery Data Owner (`roles/bigquery.dataOwner`) BigQuery Security Admin (`roles/bigquery.securityAdmin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Data Catalog Admin (`roles/datacatalog.admin`) Data Catalog Tag Editor (`roles/datacatalog.tagEditor`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Data Fusion API Service Agent (`roles/datafusion.serviceAgent`) Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) DLP API Service Agent (`roles/dlp.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.transfers.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquery.transfers.update`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Firebase Service Management Service Agent (`roles/firebase.managementServiceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)

BigQuery Connection API permissions

There are no IAM permissions for this service.

BigQuery Continuous Query permissions

There are no IAM permissions for this service.

BigQuery Data Policy permissions

There are no IAM permissions for this service.

BigQuery Data Transfer Service permissions

There are no IAM permissions for this service.

BigQuery Engine for Apache Flink permissions

This table lists the IAM permissions for BigQuery Engine for Apache Flink and the roles that include them. To search through all roles and permissions, see the role and permission index.

Permission	Included in roles
`managedflink.deployments.create`	Owner (`roles/owner`) Editor (`roles/editor`) Managed Flink Admin (`roles/managedflink.admin`)
`managedflink.deployments.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Managed Flink Admin (`roles/managedflink.admin`)
`managedflink.deployments.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Managed Flink Admin (`roles/managedflink.admin`) Managed Flink Developer (`roles/managedflink.developer`) Managed Flink Viewer (`roles/managedflink.viewer`)
`managedflink.deployments.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Managed Flink Admin (`roles/managedflink.admin`) Managed Flink Developer (`roles/managedflink.developer`) Managed Flink Viewer (`roles/managedflink.viewer`)
`managedflink.deployments.update`	Owner (`roles/owner`) Editor (`roles/editor`) Managed Flink Admin (`roles/managedflink.admin`)
`managedflink.jobs.create`	Owner (`roles/owner`) Editor (`roles/editor`) Managed Flink Admin (`roles/managedflink.admin`) Managed Flink Developer (`roles/managedflink.developer`)
`managedflink.jobs.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Managed Flink Admin (`roles/managedflink.admin`) Managed Flink Developer (`roles/managedflink.developer`)
`managedflink.jobs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Managed Flink Admin (`roles/managedflink.admin`) Managed Flink Developer (`roles/managedflink.developer`) Managed Flink Viewer (`roles/managedflink.viewer`)
`managedflink.jobs.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Managed Flink Admin (`roles/managedflink.admin`) Managed Flink Developer (`roles/managedflink.developer`) Managed Flink Viewer (`roles/managedflink.viewer`)
`managedflink.jobs.update`	Owner (`roles/owner`) Editor (`roles/editor`) Managed Flink Admin (`roles/managedflink.admin`) Managed Flink Developer (`roles/managedflink.developer`)
`managedflink.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Managed Flink Admin (`roles/managedflink.admin`) Managed Flink Developer (`roles/managedflink.developer`) Managed Flink Viewer (`roles/managedflink.viewer`)
`managedflink.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Managed Flink Admin (`roles/managedflink.admin`) Managed Flink Developer (`roles/managedflink.developer`) Managed Flink Viewer (`roles/managedflink.viewer`)
`managedflink.operations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) Managed Flink Admin (`roles/managedflink.admin`)
`managedflink.operations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Managed Flink Admin (`roles/managedflink.admin`)
`managedflink.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Managed Flink Admin (`roles/managedflink.admin`) Managed Flink Developer (`roles/managedflink.developer`) Managed Flink Viewer (`roles/managedflink.viewer`)
`managedflink.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Managed Flink Admin (`roles/managedflink.admin`) Managed Flink Developer (`roles/managedflink.developer`) Managed Flink Viewer (`roles/managedflink.viewer`)
`managedflink.sessions.create`	Owner (`roles/owner`) Editor (`roles/editor`) Managed Flink Admin (`roles/managedflink.admin`) Managed Flink Developer (`roles/managedflink.developer`)
`managedflink.sessions.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Managed Flink Admin (`roles/managedflink.admin`) Managed Flink Developer (`roles/managedflink.developer`)
`managedflink.sessions.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Managed Flink Admin (`roles/managedflink.admin`) Managed Flink Developer (`roles/managedflink.developer`) Managed Flink Viewer (`roles/managedflink.viewer`)
`managedflink.sessions.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Managed Flink Admin (`roles/managedflink.admin`) Managed Flink Developer (`roles/managedflink.developer`) Managed Flink Viewer (`roles/managedflink.viewer`)
`managedflink.sessions.update`	Owner (`roles/owner`) Editor (`roles/editor`) Managed Flink Admin (`roles/managedflink.admin`) Managed Flink Developer (`roles/managedflink.developer`)

BigQuery Migration Service permissions

This table lists the IAM permissions for BigQuery Migration Service and the roles that include them. To search through all roles and permissions, see the role and permission index.

Permission	Included in roles
`bigquerymigration.subtasks.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) MigrationWorkflow Editor (`roles/bigquerymigration.editor`) MigrationWorkflow Viewer (`roles/bigquerymigration.viewer`)
`bigquerymigration.subtasks.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) MigrationWorkflow Editor (`roles/bigquerymigration.editor`) MigrationWorkflow Viewer (`roles/bigquerymigration.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`bigquerymigration.translation.translate`	Owner (`roles/owner`) Editor (`roles/editor`) BigQuery Admin (`roles/bigquery.admin`) BigQuery Studio Admin (`roles/bigquery.studioAdmin`) BigQuery User (`roles/bigquery.user`) Migration Translation User (`roles/bigquerymigration.translationUser`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Dataplex Service Agent (`roles/dataplex.serviceAgent`) Dataprep Service Agent (`roles/dataprep.serviceAgent`) Cloud Dataflow Service Agent (`roles/dataflow.serviceAgent`)
`bigquerymigration.workflows.create`	Owner (`roles/owner`) Editor (`roles/editor`) MigrationWorkflow Editor (`roles/bigquerymigration.editor`)
`bigquerymigration.workflows.delete`	Owner (`roles/owner`) Editor (`roles/editor`) MigrationWorkflow Editor (`roles/bigquerymigration.editor`)
`bigquerymigration.workflows.enableAiOutputTypes`	Owner (`roles/owner`) Editor (`roles/editor`) MigrationWorkflow Editor (`roles/bigquerymigration.editor`)
`bigquerymigration.workflows.enableLineageOutputTypes`	Owner (`roles/owner`) Editor (`roles/editor`) MigrationWorkflow Editor (`roles/bigquerymigration.editor`)
`bigquerymigration.workflows.enableOutputTypePermissions`	Owner (`roles/owner`) Editor (`roles/editor`) MigrationWorkflow Editor (`roles/bigquerymigration.editor`)
`bigquerymigration.workflows.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) MigrationWorkflow Editor (`roles/bigquerymigration.editor`) MigrationWorkflow Viewer (`roles/bigquerymigration.viewer`)
`bigquerymigration.workflows.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) MigrationWorkflow Editor (`roles/bigquerymigration.editor`) MigrationWorkflow Viewer (`roles/bigquerymigration.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`bigquerymigration.workflows.orchestrateTask`	Owner (`roles/owner`) Task Orchestrator (`roles/bigquerymigration.orchestrator`)
`bigquerymigration.workflows.update`	Owner (`roles/owner`) Editor (`roles/editor`) MigrationWorkflow Editor (`roles/bigquerymigration.editor`)

BigQuery Omni permissions

There are no IAM permissions for this service.

This table lists the IAM permissions for BigQuery sharing and the roles that include them. To search through all roles and permissions, see the role and permission index.

Permission	Included in roles
`analyticshub.dataExchanges.create`	Owner (`roles/owner`) Editor (`roles/editor`) Analytics Hub Admin (`roles/analyticshub.admin`)
`analyticshub.dataExchanges.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Analytics Hub Admin (`roles/analyticshub.admin`)
`analyticshub.dataExchanges.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Analytics Hub Admin (`roles/analyticshub.admin`) Analytics Hub Listing Admin (`roles/analyticshub.listingAdmin`) Analytics Hub Publisher (`roles/analyticshub.publisher`) Analytics Hub Subscriber (`roles/analyticshub.subscriber`) Analytics Hub Subscription Owner (`roles/analyticshub.subscriptionOwner`) Analytics Hub Viewer (`roles/analyticshub.viewer`)
`analyticshub.dataExchanges.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Analytics Hub Admin (`roles/analyticshub.admin`) Analytics Hub Listing Admin (`roles/analyticshub.listingAdmin`) Analytics Hub Publisher (`roles/analyticshub.publisher`) Analytics Hub Subscriber (`roles/analyticshub.subscriber`) Analytics Hub Subscription Owner (`roles/analyticshub.subscriptionOwner`) Analytics Hub Viewer (`roles/analyticshub.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`analyticshub.dataExchanges.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Analytics Hub Admin (`roles/analyticshub.admin`) Analytics Hub Listing Admin (`roles/analyticshub.listingAdmin`) Analytics Hub Publisher (`roles/analyticshub.publisher`) Analytics Hub Subscriber (`roles/analyticshub.subscriber`) Analytics Hub Subscription Owner (`roles/analyticshub.subscriptionOwner`) Analytics Hub Viewer (`roles/analyticshub.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`analyticshub.dataExchanges.setIamPolicy`	Owner (`roles/owner`) Analytics Hub Admin (`roles/analyticshub.admin`) Security Admin (`roles/iam.securityAdmin`)
`analyticshub.dataExchanges.subscribe`	Owner (`roles/owner`) Analytics Hub Subscriber (`roles/analyticshub.subscriber`)
`analyticshub.dataExchanges.update`	Owner (`roles/owner`) Editor (`roles/editor`) Analytics Hub Admin (`roles/analyticshub.admin`)
`analyticshub.dataExchanges.viewSubscriptions`	Owner (`roles/owner`) Analytics Hub Admin (`roles/analyticshub.admin`)
`analyticshub.listings.create`	Owner (`roles/owner`) Editor (`roles/editor`) Analytics Hub Admin (`roles/analyticshub.admin`) Analytics Hub Publisher (`roles/analyticshub.publisher`)
`analyticshub.listings.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Analytics Hub Admin (`roles/analyticshub.admin`) Analytics Hub Listing Admin (`roles/analyticshub.listingAdmin`)
`analyticshub.listings.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Analytics Hub Admin (`roles/analyticshub.admin`) Analytics Hub Listing Admin (`roles/analyticshub.listingAdmin`) Analytics Hub Publisher (`roles/analyticshub.publisher`) Analytics Hub Subscriber (`roles/analyticshub.subscriber`) Analytics Hub Subscription Owner (`roles/analyticshub.subscriptionOwner`) Analytics Hub Viewer (`roles/analyticshub.viewer`)
`analyticshub.listings.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Analytics Hub Admin (`roles/analyticshub.admin`) Analytics Hub Listing Admin (`roles/analyticshub.listingAdmin`) Analytics Hub Publisher (`roles/analyticshub.publisher`) Analytics Hub Subscriber (`roles/analyticshub.subscriber`) Analytics Hub Subscription Owner (`roles/analyticshub.subscriptionOwner`) Analytics Hub Viewer (`roles/analyticshub.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`analyticshub.listings.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Analytics Hub Admin (`roles/analyticshub.admin`) Analytics Hub Listing Admin (`roles/analyticshub.listingAdmin`) Analytics Hub Publisher (`roles/analyticshub.publisher`) Analytics Hub Subscriber (`roles/analyticshub.subscriber`) Analytics Hub Subscription Owner (`roles/analyticshub.subscriptionOwner`) Analytics Hub Viewer (`roles/analyticshub.viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`analyticshub.listings.setIamPolicy`	Owner (`roles/owner`) Analytics Hub Admin (`roles/analyticshub.admin`) Analytics Hub Listing Admin (`roles/analyticshub.listingAdmin`) Security Admin (`roles/iam.securityAdmin`)
`analyticshub.listings.subscribe`	Owner (`roles/owner`) Analytics Hub Subscriber (`roles/analyticshub.subscriber`)
`analyticshub.listings.update`	Owner (`roles/owner`) Editor (`roles/editor`) Analytics Hub Admin (`roles/analyticshub.admin`) Analytics Hub Listing Admin (`roles/analyticshub.listingAdmin`)
`analyticshub.listings.viewSubscriptions`	Owner (`roles/owner`) Analytics Hub Admin (`roles/analyticshub.admin`) Analytics Hub Listing Admin (`roles/analyticshub.listingAdmin`)
`analyticshub.subscriptions.create`	Owner (`roles/owner`) Editor (`roles/editor`) Analytics Hub Admin (`roles/analyticshub.admin`) Analytics Hub Subscription Owner (`roles/analyticshub.subscriptionOwner`)
`analyticshub.subscriptions.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Analytics Hub Admin (`roles/analyticshub.admin`) Analytics Hub Subscription Owner (`roles/analyticshub.subscriptionOwner`)
`analyticshub.subscriptions.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Analytics Hub Admin (`roles/analyticshub.admin`) Analytics Hub Subscription Owner (`roles/analyticshub.subscriptionOwner`)
`analyticshub.subscriptions.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Analytics Hub Admin (`roles/analyticshub.admin`) Analytics Hub Subscription Owner (`roles/analyticshub.subscriptionOwner`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`)
`analyticshub.subscriptions.update`	Owner (`roles/owner`) Editor (`roles/editor`) Analytics Hub Admin (`roles/analyticshub.admin`) Analytics Hub Subscription Owner (`roles/analyticshub.subscriptionOwner`)

Permissions for BigQuery ML tasks

The following table describes the permissions needed for common BigQuery ML tasks.

Permission	Description
`bigquery.jobs.create` `bigquery.models.create` `bigquery.models.getData` `bigquery.models.updateData`	Create a new model using `CREATE MODEL` statement
`bigquery.jobs.create` `bigquery.models.create` `bigquery.models.getData` `bigquery.models.updateData` `bigquery.models.updateMetadata`	Replace an existing model using `CREATE OR REPLACE MODEL` statement
`bigquery.models.delete`	Delete model using models.delete API
`bigquery.jobs.create` `bigquery.models.delete`	Delete model using `DROP MODEL` statement
`bigquery.models.getMetadata`	Get model metadata using models.get API
`bigquery.models.list`	List models and metadata on models using models.list API
`bigquery.models.updateMetadata`	Update model metadata using models.delete API. If setting or updating a non-zero expiration time for Model, `bigquery.models.delete` permission is also needed
`bigquery.jobs.create` `bigquery.models.getData`	Perform evaluation, prediction and model and feature inspections using functions such as `ML.EVALUATE`, `ML.PREDICT`, `ML.TRAINING_INFO`, and `ML.WEIGHTS`.
`bigquery.jobs.create` `bigquery.models.export`	Export a model
`bigquery.models.updateTag`	Update Data Catalog tags for a model.

What's next

For more information about assigning roles at the dataset level, see Controlling access to datasets.
For more information about assigning roles at the table or view level, see Controlling access to tables and views.

BigQuery IAM roles and permissions

BigQuery predefined IAM roles

BigQuery roles

BigQuery Admin

BigQuery Connection Admin

BigQuery Connection User

BigQuery Data Editor

BigQuery Data Owner

BigQuery Data Viewer

BigQuery Filtered Data Viewer

BigQuery Job User

BigQuery Metadata Viewer

BigQuery ObjectRef Admin

BigQuery ObjectRef Reader

BigQuery Read Session User

BigQuery Resource Admin

BigQuery Resource Editor

BigQuery Resource Viewer

BigQuery Security Admin Beta

BigQuery Studio Admin

BigQuery Studio User

BigQuery User

BigQuery Connection API roles

BigQuery Connection Service Agent

BigQuery Continuous Query roles

BigQuery Continuous Query Service Agent

BigQuery Data Policy roles

BigQuery Data Policy Admin

Masked Reader

Raw Data Reader Beta

BigQuery Data Policy Viewer

BigQuery Data Transfer Service roles

BigQuery Data Transfer Service Agent

BigQuery Engine for Apache Flink roles

Managed Flink Admin Beta

Managed Flink Developer Beta

Managed Flink Service Agent

Managed Flink Viewer Beta

BigQuery Migration Service roles

MigrationWorkflow Editor

Task Orchestrator

Migration Translation User

MigrationWorkflow Viewer

Task Worker

BigQuery Omni roles

BigQuery Omni Service Agent

BigQuery sharing roles

Analytics Hub Admin

Analytics Hub Listing Admin

Analytics Hub Publisher

Analytics Hub Subscriber

Analytics Hub Subscription Owner

Analytics Hub Viewer

BigQuery permissions

BigQuery permissions

bigquery.bireservations.get

bigquery.bireservations.update

bigquery.capacityCommitments.create

bigquery.capacityCommitments.delete

bigquery.capacityCommitments.get

bigquery.capacityCommitments.list

bigquery.capacityCommitments.update

bigquery.config.get

bigquery.config.update

bigquery.connections.create

bigquery.connections.delegate

bigquery.connections.delete

bigquery.connections.get

bigquery.connections.getIamPolicy

bigquery.connections.list

bigquery.connections.setIamPolicy

bigquery.connections.update

bigquery.connections.updateTag

bigquery.connections.use

bigquery.dataPolicies.create

bigquery.dataPolicies.delete

bigquery.dataPolicies.get

bigquery.dataPolicies.getIamPolicy

bigquery.dataPolicies.getRawData

bigquery.dataPolicies.list

BigQuery Security Admin ^Beta

Raw Data Reader ^Beta

Managed Flink Admin ^Beta

Managed Flink Developer ^Beta

Managed Flink Viewer ^Beta

`bigquery.bireservations.get`

`bigquery.bireservations.update`

`bigquery.capacityCommitments.create`

`bigquery.capacityCommitments.delete`

`bigquery.capacityCommitments.get`

`bigquery.capacityCommitments.list`

`bigquery.capacityCommitments.update`

`bigquery.config.get`

`bigquery.config.update`

`bigquery.connections.create`

`bigquery.connections.delegate`

`bigquery.connections.delete`

`bigquery.connections.get`

`bigquery.connections.getIamPolicy`

`bigquery.connections.list`

`bigquery.connections.setIamPolicy`

`bigquery.connections.update`

`bigquery.connections.updateTag`

`bigquery.connections.use`

`bigquery.dataPolicies.create`

`bigquery.dataPolicies.delete`

`bigquery.dataPolicies.get`

`bigquery.dataPolicies.getIamPolicy`

`bigquery.dataPolicies.getRawData`

`bigquery.dataPolicies.list`

`bigquery.dataPolicies.maskedGet`

`bigquery.dataPolicies.setIamPolicy`

`bigquery.dataPolicies.update`

`bigquery.datasets.create`

`bigquery.datasets.createTagBinding`

`bigquery.datasets.delete`

`bigquery.datasets.deleteTagBinding`

`bigquery.datasets.get`

`bigquery.datasets.getIamPolicy`

`bigquery.datasets.link`

`bigquery.datasets.listEffectiveTags`

`bigquery.datasets.listSharedDatasetUsage`

`bigquery.datasets.listTagBindings`

`bigquery.datasets.setIamPolicy`

`bigquery.datasets.update`

`bigquery.datasets.updateTag`

`bigquery.jobs.create`

`bigquery.jobs.delete`

`bigquery.jobs.get`

`bigquery.jobs.list`

`bigquery.jobs.listAll`

`bigquery.jobs.listExecutionMetadata`

`bigquery.jobs.update`

`bigquery.models.create`

`bigquery.models.delete`

`bigquery.models.export`

`bigquery.models.getData`

`bigquery.models.getMetadata`

`bigquery.models.list`

`bigquery.models.updateData`

`bigquery.models.updateMetadata`

`bigquery.models.updateTag`

`bigquery.objectRefs.read`

`bigquery.objectRefs.write`

`bigquery.readsessions.create`

`bigquery.readsessions.getData`

`bigquery.readsessions.update`

`bigquery.reservationAssignments.create`

`bigquery.reservationAssignments.delete`

`bigquery.reservationAssignments.list`

`bigquery.reservationAssignments.search`

`bigquery.reservations.create`

`bigquery.reservations.delete`

`bigquery.reservations.get`

`bigquery.reservations.list`

`bigquery.reservations.listFailoverDatasets`

`bigquery.reservations.update`

`bigquery.reservations.use`

`bigquery.routines.create`

`bigquery.routines.delete`